AZ-900: Security and Governance in the Cloud Curriculum Overview
Describe the benefits of security and governance in the cloud
Cloud Security and Governance Curriculum Overview
This curriculum provides a comprehensive deep-dive into how cloud providers and customers share the responsibility of securing environments and maintaining governance. Grounded in the AZ-900 Microsoft Azure Fundamentals framework, this overview outlines the transition from traditional on-premises security to the automated, policy-driven world of the cloud.
Prerequisites
Before engaging with this module, students should have a baseline understanding of the following:
- General Computing Knowledge: Understanding of servers, networking, and databases.
- Internet Connectivity: Basic knowledge of how web-based applications communicate.
- Fundamental Cloud Concepts: Familiarity with IaaS, PaaS, and SaaS models and the basic concept of virtualization.
Module Breakdown
| Module | Focus Area | Difficulty |
|---|---|---|
| 1. The Shared Responsibility Model | Defining the line between provider and customer duties. | Beginner |
| 2. Identity and Access Management | Managing users through Microsoft Entra ID and RBAC. | Intermediate |
| 3. Cloud Governance Frameworks | Implementing Azure Policy, resource locks, and tagging. | Intermediate |
| 4. Defense-in-Depth & Zero Trust | Layered security strategies and the "never trust, always verify" mindset. | Advanced |
| 5. Monitoring and Compliance | Using tools like Azure Advisor and Microsoft Defender for Cloud. | Intermediate |
Learning Objectives per Module
Module 1: The Shared Responsibility Model
- Objective: Differentiate between customer and provider responsibilities across different cloud service types.
- Key Concept: In the cloud, the provider always manages physical security, but the customer remains responsible for data and identities.
Module 2: Identity, Access, and Security
- Objective: Describe the role of Microsoft Entra ID (formerly Azure AD) and multifactor authentication (MFA).
- Key Concept: Moving beyond passwords to passwordless and conditional access strategies.
Module 3: Governance and Compliance
- Objective: Explain how to use Azure Policy to enforce organizational standards and Resource Locks to prevent accidental deletion.
- Key Concept: Governance ensures that resource usage aligns with corporate goals and budget constraints.
Module 4: Defense-in-Depth
- Objective: Understand the layered approach to security, starting from physical security up to the data layer.
Success Metrics
To demonstrate mastery of this curriculum, the learner must be able to:
- Map Responsibilities: Correctly identify who is responsible for OS patching in an IaaS vs. PaaS environment.
- Architect Access: Design a basic Role-Based Access Control (RBAC) structure for a development team.
- Policy Identification: Select the correct Azure tool (e.g., Azure Policy vs. Azure Blueprints) for a specific compliance requirement.
- Cost Governance: Explain how tags and policies can be used to prevent cost overruns.
Real-World Application
In a professional environment, cloud security and governance are not just "IT problems"—they are business enablers.
[!IMPORTANT] Cloud providers invest billions in security. By leveraging their default protections, small companies can achieve a level of security previously only available to global enterprises.
Case Study: Financial Services Compliance
A fintech startup must comply with strict data residency laws (ensuring data stays within a specific country).
- Without Governance: A developer might accidentally spin up a database in a different region, leading to massive legal fines.
- With Governance: The company uses Azure Policy to restrict resource creation to only the "West US" region. Any attempt to create a resource elsewhere is automatically blocked.
Governance Workflow
Estimated Timeline
- Week 1: Introduction to Cloud Security & Shared Responsibility.
- Week 2: Identity Management (Entra ID, SSO, MFA).
- Week 3: Governance Tools (Policy, Locks, Tags).
- Week 4: Security Operations & Monitoring (Defender, Azure Monitor).
[!TIP] Always remember the "Zero Trust" principle: Never trust, always verify. Every access request should be fully authenticated, authorized, and encrypted.