Exam SC-100 topic 5 question 4 discussion

Azure Backup: A security PIN Azure Storage: Immutable storage

1. Security PIN 2. Immutable storage https://learn.microsoft.com/en-us/azure/security/fundamentals/backup-plan-to-protect-against-ransomware#azure-backup Checks have been added to make sure only valid users can perform various operations. These include adding an extra layer of authentication. As part of adding an extra layer of authentication for critical operations, you're prompted to enter a security PIN before modifying online backups. https://learn.microsoft.com/en-us/azure/security/fundamentals/backup-plan-to-protect-against-ransomware#steps-to-take-before-an-attack Online immutable storage (such as Azure Blob) enables you to store business-critical data objects in a WORM (Write Once, Read Many) state. This state makes the data non-erasable and non-modifiable for a user-specified interval.

1. Security PIN 2. Immutable storage

What is immutable storage against ransomware? Immutable storage, however, prevents data from being altered or deleted for a specified period. Even if ransomware gains access to the primary data, it cannot modify or encrypt immutable backup copies. This approach ensures the availability of uncorrupted data for recovery.

1. Security PIN 2. Immutable storage

Security pin and Immutable storage "Encryption by using platform-managed keys for Azure Storage" is always on by default, so doesn't makes sense. And even if it did, it doesn't protect against ransomware encryption. It protects the confidentiality of data.

This is my understanding based on this article and why Immutable storage makes sense for the 2nd part: https://learn.microsoft.com/en-us/azure/storage/common/storage-service-encryption Azure Storage uses service-side encryption (SSE) to automatically encrypt your data when it is persisted to the cloud. Data in Azure Storage is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Azure Storage encryption is similar to BitLocker encryption on Windows. Azure Storage encryption is enabled for all storage accounts, including both Resource Manager and classic storage accounts. Azure Storage encryption cannot be disabled. Because your data is secured by default, you don't need to modify your code or applications to take advantage of Azure Storage encryption.

It looks correct to me. A security PIN for backup and Encryption by using platform-managed keys for Azure Storage