Does the solution meet the goal?

Topic 3, Tailspin Toys (NEW)

Background

Security

The security team at Tailspin Toys plans to eliminate legacy authentication methods that are in use, including NTLM and Windows pass-through authentication.

Tailspin Toys needs to share resources with several business partners. You are investigating options to securely share corporate data.

Tailspin Toys has several databases that contain personally identifiable information (PII). User access PII only through the Tailspin Toys e-commerce website.

You secure apps by using on-premises Active Directory Domain Services (AD DS) credentials or Microsoft SQL Server logins.

Apps

The Tailspin Toys e-commerce site is hosted on multiple on-premises virtual machines (VMs). The VM runs either Internet Information Server (IIS) or SQL Server 2012 depending on role. The site is published to the Internet by using a single endpoint that balances the load across web servers. The site does not encrypt traffic between database servers and web servers.

The Tailspin Toys Customer Analyzer app analyzer e-commerce transactions to identify customer buying

patterns, and outputs recommended product sale pricing. The app runs large processing jobs that run for 75-120 minutes several times each day. The application development team plans to replace the current solution with a parallel processing solution that scales based on computing demands.

The Tailspin Toys Human Resources (HR) app is an in-house developed app that hosts sensitive employee data. The app uses SQL authentication for Role-Based Access Control (RBAC).

Problem statement

The Tailspin Toys IT Leadership Team plans to address deficiencies in access control, data security,

performance, and availability requirements. All applications must be updated to meet any new standards that are defined.

The Tailspin Toys e-commerce site was recently targeted by a cyberattack. In the attack, account information was stolen from the customer database. Transactions that were in progress during the attack were not completed. Forensic investigation of the attack has revealed that the stolen customer data was captured in transit from the database to a compromised web server.

The HR team reports that unauthorized IT employees can view sensitive employee data by using service or application accounts.

Business Requirements

Tailspin Toys e-commerce site

The business has requested that security and availability of the e-commerce site is improved to meet thefollowing requirements.

・ Communication between site components must be secured to stop data breaches. If servers are breached, the data must not be readable.

・ The site must be highly available at each application tier, as well as the published endpoint.

・ Customers must be able to authenticate to the e-commerce site with their existing social media accounts.

Tailspin Toys Customer Analyzer app

The business requires that processing time be reduced from 75-120 minutes to 5-15 minutes.

Tailspin Toys HR app

Only authorized employees and business partners are allowed to view sensitive employee data. HR has requested a mobile experience for end users.

Technical Requirements

Security

The security team has established the following requirements for role-separation and RBAC:

・ Log on hours defined in AD DS must be enforced for users that access cloud resources.

・ IT operations team members must be able to deploy and manage all resources in Azure, but must not be able to grant permissions to others.

・ Application development team members must be able to deploy and manage Azure Web Apps.

・ SQL database administrators must be able to deploy and manage SQL databases used by TailSpin Toys application.

・ Application support analysts must be able to manage resources for the application(s) for which they are

・ responsible.

・ Service desk analysts must be able to view service status and component settings.

・ Role assignment should use the principle of least privilege.

Tailspin Toys e-commerce site

The application is currently using a pair of hardware load balancers behind a single published endpoint to load balance traffic. Customer data is hosted in a SQL Server 2012 database. Customer user accounts are stored in an AD DS instance.

The updated application and supporting infrastructure must:

・ Provide high availability in the event of failure in a single Azure SQL Database instance.

・ Allow secure web traffic on port 443 only.

・ Enable customers to authentication with Facebook, Microsoft Live ID or other social media identities.

・ Encrypt SQL data at-rest.

・ Encrypt data in motion between back-end SQL database instances and web application instances.

・ Prevent administrator and service accounts from viewing PII data.

・ Mask account and PII data presented to end user.

・ Minimize outage duration in event of an Azure datacenter failure.

・ The site should scale automatically to meet customer demand.

・ The site should continue to serve requests, even in the event of failure of an Azure datacenter.

・ Optimize site response time by auto-directing to the closest datacenter based on customer’s geographic location.

Operations must be able to deploy the solution using an Azure Resource Manager (ARM) template.

Tailspin Toys Customer Analyzer app

The app uses several compute-intensive tasks that create long-running requests to the system, processing large amounts of data. The app runs on two large VMs that are scaled to max capacity in the corporate datacenter. The VMs cannot be scaled up or out to meet processing demands.

The new solution must meet the following requirements:

・ Schedule processing of a large amount of pricing data on an hourly basis.

・ Provide parallel processing and scale-on-demand computing resources to provide additional capacity as required.

・ Processing times must meet the 5-15 minute processing requirement.

・ Use simultaneous compute nodes to enable high performance computing for analysis.

・ Minimal administrative efforts and custom development.

Operations must be able to deploy the solution using an Azure Resource Manager (ARM) template.

Tailspin Toys HR app

The solution architecture must meet the following requirements:

・ Integrate with Azure Active Directory (Azure AD).

・ Encrypt data at rest and in-transit.

・ Limit access based on location, filtered by IP addresses for corporate sites and authorized business partners.

・ Mask data presented to employees.

・ Must be available on mobile devices.

Operations must be able to deploy the solution using an Azure Resource Manager (ARM) template.

You need to recommend a solution architecture for the Tailspin Toys e-commerce website for app tier, data tier, and user authentication.

Solution:

Web site based on Azure App Service

App data stored in Azure SQL Database

Authentication provided through Azure AD business-to-consumer (B2C)

Solution deployed to multiple Azure regional datacenters

Load balancing with Azure Traffic Manager

Does the solution meet the goal?
A . Yes
B . No

View Answer

Answer: A