1 00:00:00,400 --> 00:00:01,780 Fantastic. 2 00:00:01,780 --> 00:00:03,270 You have finished the section, 3 00:00:03,270 --> 00:00:06,410 and it's time for another section review. 4 00:00:06,410 --> 00:00:09,490 In this lesson, hey, it's all a review. 5 00:00:09,490 --> 00:00:12,300 If you come across something that you don't understand, 6 00:00:12,300 --> 00:00:15,150 you should be jumping back into those lessons. 7 00:00:15,150 --> 00:00:19,120 Second, just like always, we're focusing on the DP-203, 8 00:00:19,120 --> 00:00:20,830 so I'm going to try and highlight things 9 00:00:20,830 --> 00:00:22,730 that you definitely need to remember. 10 00:00:22,730 --> 00:00:25,900 And then 3, again, if you don't know something, review. 11 00:00:25,900 --> 00:00:29,270 At this point, we should start to see blended concepts. 12 00:00:29,270 --> 00:00:30,250 So we should be looking 13 00:00:30,250 --> 00:00:34,420 at a security concept that ties into HDInsight. 14 00:00:34,420 --> 00:00:36,870 And from there, we're adding in additional concept 15 00:00:36,870 --> 00:00:39,350 about Key Vault or optimization. 16 00:00:39,350 --> 00:00:41,340 And so this will continue for this section, 17 00:00:41,340 --> 00:00:44,400 and then on through the next couple of sections as well. 18 00:00:44,400 --> 00:00:46,900 So if you find yourself missing topics 19 00:00:46,900 --> 00:00:48,780 or not understanding something fully, 20 00:00:48,780 --> 00:00:51,260 you may have to dive back into a previous lesson 21 00:00:51,260 --> 00:00:53,590 but make sure that you do that. 22 00:00:53,590 --> 00:00:55,360 So with that, let's get started. 23 00:00:55,360 --> 00:00:59,290 First, it's all about the golden goose, your data. 24 00:00:59,290 --> 00:01:02,550 You need to make sure that you are protecting your data. 25 00:01:02,550 --> 00:01:05,450 And we do this through defense in depth, 26 00:01:05,450 --> 00:01:07,210 building additional layers, 27 00:01:07,210 --> 00:01:09,540 and each one of these layers helps 28 00:01:09,540 --> 00:01:12,810 to separate your environment from your data. 29 00:01:12,810 --> 00:01:15,980 And it provides multiple layers of security, 30 00:01:15,980 --> 00:01:18,480 so when we look at those multiple layers, 31 00:01:18,480 --> 00:01:20,500 if you breach through 1 layer, 32 00:01:20,500 --> 00:01:23,890 hopefully you haven't gotten access to everything. 33 00:01:23,890 --> 00:01:25,303 Defense in depth. 34 00:01:26,350 --> 00:01:30,360 Next, we talked about data encryption, that's data at rest. 35 00:01:30,360 --> 00:01:33,710 Data at rest is when your data is not moving. 36 00:01:33,710 --> 00:01:36,220 So that is the data encryption of that. 37 00:01:36,220 --> 00:01:39,070 You use symmetric encryption keys to do that. 38 00:01:39,070 --> 00:01:42,120 Most services have data at rest on by default. 39 00:01:42,120 --> 00:01:44,240 We also talked about data in motion. 40 00:01:44,240 --> 00:01:46,380 This is when your data is moving. 41 00:01:46,380 --> 00:01:49,410 We encrypt it, and we use Transport Layer Security, 42 00:01:49,410 --> 00:01:51,290 or TLS, for that. 43 00:01:51,290 --> 00:01:53,210 Most services have this on by default, 44 00:01:53,210 --> 00:01:55,020 and it is recommended that you're using 45 00:01:55,020 --> 00:01:58,570 at least version 1.2 of TLS. 46 00:01:58,570 --> 00:02:01,030 Key here for the DP-203, 47 00:02:01,030 --> 00:02:05,343 most data at rest and data in motion is on by default. 48 00:02:07,090 --> 00:02:08,190 Types of masks. 49 00:02:08,190 --> 00:02:09,950 We talked about masking data. 50 00:02:09,950 --> 00:02:12,220 And remember, there's quite a few different types. 51 00:02:12,220 --> 00:02:13,870 There's default, and credit card, 52 00:02:13,870 --> 00:02:17,360 and email, and the random number, and custom. 53 00:02:17,360 --> 00:02:19,710 When we look at these different types, 54 00:02:19,710 --> 00:02:23,280 first you need to remember that masking is a security layer 55 00:02:23,280 --> 00:02:26,060 for people that already in the environment. 56 00:02:26,060 --> 00:02:27,890 It should not be designed to keep you 57 00:02:27,890 --> 00:02:29,280 out of the environment. 58 00:02:29,280 --> 00:02:31,860 It should be designed as a light security measure 59 00:02:31,860 --> 00:02:34,540 for someone who needs access to the environment, 60 00:02:34,540 --> 00:02:36,520 but maybe we want to mask a few things, 61 00:02:36,520 --> 00:02:38,300 like credit card numbers. 62 00:02:38,300 --> 00:02:39,930 The other piece to remember is, 63 00:02:39,930 --> 00:02:42,810 I would actually take a minute, look through this list, 64 00:02:42,810 --> 00:02:45,380 and memorize those 5 different types: 65 00:02:45,380 --> 00:02:48,990 default, credit card, email, random number, and custom. 66 00:02:48,990 --> 00:02:50,810 That's going to help you to know what's possible 67 00:02:50,810 --> 00:02:53,643 and, briefly, what each one of those things does. 68 00:02:55,530 --> 00:02:57,090 Why we audit. 69 00:02:57,090 --> 00:02:59,660 We audit to track database events. 70 00:02:59,660 --> 00:03:02,100 These are security concerns, 71 00:03:02,100 --> 00:03:05,120 because if we have established a baseline 72 00:03:05,120 --> 00:03:07,310 of what's happening in your environment, 73 00:03:07,310 --> 00:03:10,410 we can start to see things that are out of the norm. 74 00:03:10,410 --> 00:03:13,320 We talked about auditing for regulatory requirements. 75 00:03:13,320 --> 00:03:16,160 This is not the only factor or the only reason we audit, 76 00:03:16,160 --> 00:03:18,300 but auditing for regulatory requirements 77 00:03:18,300 --> 00:03:21,100 is definitely something that you need to keep in mind. 78 00:03:21,100 --> 00:03:22,130 We talked about trends. 79 00:03:22,130 --> 00:03:24,880 Again, this is security and operations. 80 00:03:24,880 --> 00:03:26,800 The trends help us to identify, 81 00:03:26,800 --> 00:03:28,610 again, those security concerns. 82 00:03:28,610 --> 00:03:32,480 If we see events that are out of place, if we see spikes 83 00:03:32,480 --> 00:03:35,160 in outgoing data or things like that. 84 00:03:35,160 --> 00:03:36,610 In addition, we can also look 85 00:03:36,610 --> 00:03:38,730 at optimizations with auditing. 86 00:03:38,730 --> 00:03:41,160 Can we run our queries at a different time? 87 00:03:41,160 --> 00:03:46,160 Can we optimize by increasing or decreasing our compute? 88 00:03:46,240 --> 00:03:49,150 It's important that you establish a good auditing practice 89 00:03:49,150 --> 00:03:50,860 for your environment. 90 00:03:50,860 --> 00:03:54,990 Where do we audit? Synapse and SQL, at least as a feature. 91 00:03:54,990 --> 00:03:57,210 So you can audit in any service, obviously, 92 00:03:57,210 --> 00:04:00,440 by looking at Azure Monitor or Log Analytics; 93 00:04:00,440 --> 00:04:03,890 but in Synapse and SQL Database, there's actually a feature 94 00:04:03,890 --> 00:04:05,830 that you can choose to turn on auditing. 95 00:04:05,830 --> 00:04:09,143 So make sure that you're looking at that for the DP-203. 96 00:04:11,840 --> 00:04:13,100 Service endpoints. 97 00:04:13,100 --> 00:04:15,990 We talked about service endpoints being a place 98 00:04:15,990 --> 00:04:18,600 that provides secure and direct connectivity 99 00:04:18,600 --> 00:04:20,260 to Azure services. 100 00:04:20,260 --> 00:04:22,210 It increases our defense in depth 101 00:04:22,210 --> 00:04:26,110 and our security by directly connecting a virtual network 102 00:04:26,110 --> 00:04:28,650 to an Azure resource. 103 00:04:28,650 --> 00:04:32,410 This is only for endpoints in Azure virtual networks, 104 00:04:32,410 --> 00:04:33,480 with the exception being 105 00:04:33,480 --> 00:04:36,970 that down there at the bottom, we can use IP ranges 106 00:04:36,970 --> 00:04:41,780 or our ExpressRoute, if we have an on-premise environment. 107 00:04:41,780 --> 00:04:43,250 And this is also only 108 00:04:43,250 --> 00:04:45,610 for traffic within the virtual network region. 109 00:04:45,610 --> 00:04:47,280 You can't connect virtual networks 110 00:04:47,280 --> 00:04:50,113 to resources in different regions. 111 00:04:52,200 --> 00:04:53,940 Establishing best practices. 112 00:04:53,940 --> 00:04:56,240 Do you have a data retention policy? 113 00:04:56,240 --> 00:04:58,130 You should have a data retention policy 114 00:04:58,130 --> 00:05:01,420 that includes lifetime and regulatory requirements. 115 00:05:01,420 --> 00:05:05,460 Your data should move from active, to archive, to purge. 116 00:05:05,460 --> 00:05:08,370 We should be watching preconfigured backups from services, 117 00:05:08,370 --> 00:05:09,990 and what this means is when we spin up 118 00:05:09,990 --> 00:05:12,310 an Azure Synapse environment, for instance, 119 00:05:12,310 --> 00:05:16,300 is it preconfigured and storing backups for us? 120 00:05:16,300 --> 00:05:17,730 If so, we just need to make sure 121 00:05:17,730 --> 00:05:20,920 that we understand what that is, how long it's being stored, 122 00:05:20,920 --> 00:05:22,920 and where it's going, because this is going to help us 123 00:05:22,920 --> 00:05:25,210 with our regulatory requirements 124 00:05:25,210 --> 00:05:28,160 and our overall data retention policy. 125 00:05:28,160 --> 00:05:30,490 We want to purge off hours. 126 00:05:30,490 --> 00:05:33,020 We don't want to tie up resources from the environment 127 00:05:33,020 --> 00:05:35,420 during peak times, because it's not something 128 00:05:35,420 --> 00:05:38,163 that is generally mission-critical for your business. 129 00:05:39,070 --> 00:05:42,660 Next, we need to assess and run cost management analysis. 130 00:05:42,660 --> 00:05:44,520 We should have a good understanding, 131 00:05:44,520 --> 00:05:46,690 or at least a reasonable understanding, 132 00:05:46,690 --> 00:05:49,980 of the storage that we have and the movement of data 133 00:05:49,980 --> 00:05:53,173 as we move from that active, to archive, to purge. 134 00:05:54,470 --> 00:05:57,510 Finally, for multi- and hybrid cloud environments, we need 135 00:05:57,510 --> 00:06:01,130 to map storage, meaning our data retention policy needs 136 00:06:01,130 --> 00:06:03,660 to take into account multi-cloud and hybrid 137 00:06:03,660 --> 00:06:05,853 so we know where we're storing things. 138 00:06:07,810 --> 00:06:10,690 RBAC. This one is an important one. 139 00:06:10,690 --> 00:06:13,160 We talked about security principals, 140 00:06:13,160 --> 00:06:16,890 role definitions, and scope. 141 00:06:16,890 --> 00:06:18,340 And then we talked about that tie in, 142 00:06:18,340 --> 00:06:19,690 which is the role assignment, 143 00:06:19,690 --> 00:06:22,510 the marriage of all 3 of those principles. 144 00:06:22,510 --> 00:06:24,160 Make sure that you take a look 145 00:06:24,160 --> 00:06:26,340 at RBAC and spend some time here. 146 00:06:26,340 --> 00:06:28,590 RBAC is something that is a critical concept 147 00:06:28,590 --> 00:06:30,670 for any Azure certification. 148 00:06:30,670 --> 00:06:34,110 It's also a critical concept for, really, anything in Azure. 149 00:06:34,110 --> 00:06:35,490 So make sure that you understand 150 00:06:35,490 --> 00:06:38,300 what a security principal is, role definition, 151 00:06:38,300 --> 00:06:41,110 and scope, and how all those things play together 152 00:06:41,110 --> 00:06:44,713 to make your role assignment and identity access management. 153 00:06:46,720 --> 00:06:48,010 Talked about Azure Key Vault, 154 00:06:48,010 --> 00:06:50,730 our place to securely store and access tokens, 155 00:06:50,730 --> 00:06:53,860 passwords, certificates, and API keys. 156 00:06:53,860 --> 00:06:56,460 We talked about it being a centralized place 157 00:06:56,460 --> 00:06:58,350 to store our secrets. 158 00:06:58,350 --> 00:06:59,810 So, secrets are just anything 159 00:06:59,810 --> 00:07:01,693 that we want to control access to. 160 00:07:02,850 --> 00:07:05,610 And then we also talked about Azure Key Vault being a way 161 00:07:05,610 --> 00:07:08,140 to monitor access of keys 162 00:07:08,140 --> 00:07:11,360 as they're used to decrypt things like a database. 163 00:07:11,360 --> 00:07:14,160 It also provides us some separation, again, 164 00:07:14,160 --> 00:07:16,260 from that defense in depth concept, 165 00:07:16,260 --> 00:07:20,510 because we can have a security admin managing our keys, 166 00:07:20,510 --> 00:07:24,500 we can have a database admin managing our database, 167 00:07:24,500 --> 00:07:26,130 and then we could have, like, an analyst 168 00:07:26,130 --> 00:07:29,340 that's accessing the database using the key 169 00:07:29,340 --> 00:07:31,730 and their Azure Active Directory access 170 00:07:31,730 --> 00:07:34,410 to authenticate them to access a database. 171 00:07:34,410 --> 00:07:36,930 So we can have some additional separation there. 172 00:07:36,930 --> 00:07:38,970 And so Azure Key Vault is definitely something 173 00:07:38,970 --> 00:07:40,620 that you want to take advantage of. 174 00:07:42,150 --> 00:07:45,320 We also talked about how we authenticate in Databricks. 175 00:07:45,320 --> 00:07:47,730 This is through Azure Active Directory, 176 00:07:47,730 --> 00:07:51,330 by defining our service principal and getting our token, 177 00:07:51,330 --> 00:07:53,820 or through personal access tokens. 178 00:07:53,820 --> 00:07:56,210 For the DP-203, you need to understand 179 00:07:56,210 --> 00:07:58,360 the 2 different options that are possible 180 00:07:58,360 --> 00:08:01,200 to authenticate in Databricks. 181 00:08:01,200 --> 00:08:04,580 Also, just a public service announcement, 182 00:08:04,580 --> 00:08:06,850 tokens should be used in place of passwords. 183 00:08:06,850 --> 00:08:09,613 Don't hardcode passwords, use tokens instead. 184 00:08:11,480 --> 00:08:15,050 In summary, this is not a comprehensive list. 185 00:08:15,050 --> 00:08:16,750 We talked about more in this section, 186 00:08:16,750 --> 00:08:17,790 but these are the concepts 187 00:08:17,790 --> 00:08:21,000 that I felt were the most important for the DP-203 188 00:08:21,000 --> 00:08:22,923 to jump back in and take a look at. 189 00:08:23,850 --> 00:08:28,850 This section is also a smaller percent of the DP-203. 190 00:08:29,060 --> 00:08:31,550 So don't spend a massive amount of time 191 00:08:31,550 --> 00:08:33,110 in the Security section, 192 00:08:33,110 --> 00:08:34,840 because it is going to be probably 193 00:08:34,840 --> 00:08:37,633 between 10 and 20% of the exam. 194 00:08:38,660 --> 00:08:40,390 Don't forget about the labs. 195 00:08:40,390 --> 00:08:42,140 If you've heard that before, 196 00:08:42,140 --> 00:08:44,090 congratulations, that means you're moving through the course 197 00:08:44,090 --> 00:08:45,510 at a pretty good clip. 198 00:08:45,510 --> 00:08:47,520 We've talked about that several times. 199 00:08:47,520 --> 00:08:48,800 Don't forget about the lab; 200 00:08:48,800 --> 00:08:51,620 you need those for the exam and for your career. 201 00:08:51,620 --> 00:08:54,050 Finally, if this course is helpful for you, 202 00:08:54,050 --> 00:08:56,590 don't forget to smash that thumbs up button on those videos. 203 00:08:56,590 --> 00:08:58,820 I greatly appreciate it. 204 00:08:58,820 --> 00:09:01,180 Congrats again on finishing the section. 205 00:09:01,180 --> 00:09:02,660 The best news yet: 206 00:09:02,660 --> 00:09:04,230 there's only 3 sections to go, 207 00:09:04,230 --> 00:09:06,600 including the conclusion section. 208 00:09:06,600 --> 00:09:07,790 So you're almost there. 209 00:09:07,790 --> 00:09:10,190 Keep it up, and I'll see you in the next section.