Recently I took and passed the SC-100 Exam, which, if you also hold the required prerequisites (SC-200, SC-300, or AZ-500), gains you Microsoft Certified Cybersecurity Architect. I found the exam fairly challenging – and must admit this was one of broadest Microsoft exams I’ve taken, which is to be expected really with this level of exam. As always, after passing an exam, I like to write up a post on the materials that I used to study for the exam, in the hope that my experience and learning material will be useful for others.
It wouldn’t be a blog post from me without a hint of Infrastructure as Code too… more on that later!
Resources
- Study Guide for SC-100 – this was invaluable for my own study and learning. Not only does this contain everything you need to know about the exam – for example, skills measured, change log, practice assessments etc, but it also provides a clear view on the specific areas and topics that you can be expected to be asked in the exam. https://learn.microsoft.com/en-us/credentials/certifications/resources/study-guides/sc-100
- Charbel Nemnom’s SC-100 guide was also brilliant – it really helped cement many of the topics and provided linked to additional learning and resources to help. https://charbelnemnom.com/sc-100-microsoft-cybersecurity-architect-expert/
- As always, the Microsoft Learn GitHub repositories are a great help too – https://github.com/MicrosoftLearning/SC-100-Microsoft-Cybersecurity-Architect (Charbel also mentions these in his article above).
- Getting some time to be hands on and deploy some of the solutions tested in the exam also really helped me – specifically aspects covered in the Infrastructure Section of the Microsoft Learn Modules – https://learn.microsoft.com/en-us/training/paths/sc-100-design-security-solutions-applications-data/
- Previous exams and their respective practice tests and actual tests were also a great help – specifically AZ-500 and SC-300 (both exams I have done), and I found that taking the practice tests for these helped cement aspects also covered in SC-100:
- SC-300 Practice Assessment: https://learn.microsoft.com/en-us/credentials/certifications/identity-and-access-administrator/practice/assessment?assessment-type=practice&assessmentId=60&practice-assessment-type=certification
- AZ-500 Practice Assessment: https://learn.microsoft.com/en-us/credentials/certifications/azure-security-engineer/practice/assessment?assessment-type=practice&assessmentId=57&practice-assessment-type=certification
What about Infrastructure as Code (IAC)?
It really wouldn’t be a blog post from myself without some reference to Infrastructure as Code (IAC), and this exam, my learning for it, and the technologies within are no exception – IAC still has a very relevant place in the Microsoft Security Ecosystem!
I usually try and spend some time utilising IAC when learning new areas, because this is the primary method I’ll be using to apply those technologies moving forward. For example – learning something in the Azure Portal is great for me the first few times, but after this I like to try and develop repeatable methods for deployment. This, I find, speeds up my learning and development – and makes the whole process of using labs and test environments much more cost and time effective.
In my own development and learning, I found the use of IAC was most appropriate when configuring and securing Infrastructure Resources – for example when adhering to security baselines or standards. In particular, areas like Storage Accounts, Private Endpoints, and Network Security are easily configurable to a highly secure standard when using Terraform and the AzureRM provider, for example.
During my own learning for this exam, I spent some time working with the following Resources – specifically focusing on some of the infrastructure security aspects and elements, based on the learning objectives of the exam:
- Azure Firewall Security and Rules – within Terraform, Azure Firewall is straightforward to deploy and control, and allows implementation of a hub/spoke approach across Regions of your choosing. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/firewall
- Azure Firewall – see also a previous article I wrote up on Deploying and Configuring Azure Firewall using Terraform: https://jakewalsh.co.uk/deploying-and-configuring-azure-firewall-using-terraform/
- Azure Storage – Deployment and ongoing Management of Azure Storage is also straightforward when using IAC (Terraform in my case) – but specifically the security aspects of Storage Accounts need consideration for the SC-100 exam prep. Immutability Policies (https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container_immutability_policy), Network Rules (https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules), and the various encryption options around Accounts (https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) were my focus, as these are particularly relevant to the customer conversations I am having.
- Azure SQL – Anyone who has used Azure SQL will know there is a plethora of options available around security. For my own learning I focused on understanding integrations, for example using Private Networking, and configuring Firewall Rules etc. Azure SQL is far too large a topic to go into detail here – but as a starting point the Terraform registry provides guidance and examples: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_database
- Azure Monitor – Azure Monitor is also a broad area, and one that is also far too large to cover off in a single blog post. However, in prep for SC-100 I spent time understand the types of data I could configure and collect (for example – using Log Analytics: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_datasource_windows_event) and then translating these into Monitor Workbooks and Action Groups.
In the title of this post I said it would only be a hint of IAC – so that’s all for now!
Conclusion
As always, real experience and using your own Lab environment was hugely helpful for this exam – I found creating some of the scenarios outlined in the Learn Modules in my own lab helped massively. I’d also recommend spending time running through the Microsoft Learn Practice Questions, these give a great idea of the type and style of question you can expect on the exam. Good luck!