A company is designing a defense-in-depth strategy for their Azure environment. They want to ensure that if a virtual machine is compromised, the attacker cannot move laterally to other VMs in the same virtual network. Which security control should they prioritize?
Trap 1: Enable Azure DDoS Protection on the virtual network
DDoS protection only mitigates volumetric attacks, not lateral movement.
Trap 2: Enable multi-factor authentication (MFA) for all admin accounts
MFA is important for identity security but does not prevent lateral movement after a VM is compromised.
Trap 3: Deploy Azure Bastion for secure remote access
Azure Bastion secures RDP/SSH access but does not segment network traffic.
- A
Enable Azure DDoS Protection on the virtual network
Why wrong: DDoS protection only mitigates volumetric attacks, not lateral movement.
- B
Implement network segmentation using NSGs and application security groups
Network segmentation restricts east-west traffic, limiting lateral movement.
- C
Enable multi-factor authentication (MFA) for all admin accounts
Why wrong: MFA is important for identity security but does not prevent lateral movement after a VM is compromised.
- D
Deploy Azure Bastion for secure remote access
Why wrong: Azure Bastion secures RDP/SSH access but does not segment network traffic.