<< Prev Question Next Question >>
Question 14/23
This is case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answer and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
Background
You are an architect for Trey Research Inc., a software as a service (SaaS) company. The company is developing a new product named Tailspin for consumer and small business financial monitoring. The product will be offered as an API to banks and financial instructions. Banks and financial institutions will integrate Tailspin into their own online banking offerings.
All employees of Trey Research are members of an Active Directory Domain Services (AD DS) group named TREY.
Technical Requirement
Architecture
All application and customer data will be stored in Azure SQL Database instances.
API calls that modify data will be implemented as queue messages in an Azure Storage Queue. Queue messages must expire after 90 minutes.
Security
The solution has the following security requirements:
Common security issues such as SQL injection and XSS must be prevented.
Database-related security issues must not result in customers' data being exposed.
Exposure of application source code and deployment artifacts must not result in customer data being
exposed.
Every 90 days, all application code must undergo a security review to ensure that new or changed code
does not introduce a security risk.
Remote code execution in the Web App must not result in the loss of security secrets.
Auditing, Monitoring, Alerting
The solution has the following requirements for auditing, monitoring, and alerting:
Changes to administrative group membership must be auditable.
Operations involving encryption keys must be auditable by users in the Azure Key Vault Auditors user
role.
Resources must have monitoring and alerting configured in Azure Security Center.
Authorization, authentication
The solution has the following authentication and authorization requirements:
Azure Active Directory (Azure AD) must be used to authenticate users.
Compromised user accounts should be disabled as quickly as possible.
Only employees of Trey Research Inc. should be able to address automated security
recommendations.
Service Level agreement
Failure of any one Azure region must not impact service availability. Customer data must not be lost once accepted by the application.
Performance, resource utilization
The solution must meet the following performance and resource usage requirements:
Azure costs must be minimized.
Application performance must remain level, regardless of the geographic location of users.
All application diagnostic and activity logs must be captured without loss.
Compute resources must be shared across all databases used by the solution.
You need to ensure that authentication requirements are met.
What should you do?
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answer and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
Background
You are an architect for Trey Research Inc., a software as a service (SaaS) company. The company is developing a new product named Tailspin for consumer and small business financial monitoring. The product will be offered as an API to banks and financial instructions. Banks and financial institutions will integrate Tailspin into their own online banking offerings.
All employees of Trey Research are members of an Active Directory Domain Services (AD DS) group named TREY.
Technical Requirement
Architecture
All application and customer data will be stored in Azure SQL Database instances.
API calls that modify data will be implemented as queue messages in an Azure Storage Queue. Queue messages must expire after 90 minutes.
Security
The solution has the following security requirements:
Common security issues such as SQL injection and XSS must be prevented.
Database-related security issues must not result in customers' data being exposed.
Exposure of application source code and deployment artifacts must not result in customer data being
exposed.
Every 90 days, all application code must undergo a security review to ensure that new or changed code
does not introduce a security risk.
Remote code execution in the Web App must not result in the loss of security secrets.
Auditing, Monitoring, Alerting
The solution has the following requirements for auditing, monitoring, and alerting:
Changes to administrative group membership must be auditable.
Operations involving encryption keys must be auditable by users in the Azure Key Vault Auditors user
role.
Resources must have monitoring and alerting configured in Azure Security Center.
Authorization, authentication
The solution has the following authentication and authorization requirements:
Azure Active Directory (Azure AD) must be used to authenticate users.
Compromised user accounts should be disabled as quickly as possible.
Only employees of Trey Research Inc. should be able to address automated security
recommendations.
Service Level agreement
Failure of any one Azure region must not impact service availability. Customer data must not be lost once accepted by the application.
Performance, resource utilization
The solution must meet the following performance and resource usage requirements:
Azure costs must be minimized.
Application performance must remain level, regardless of the geographic location of users.
All application diagnostic and activity logs must be captured without loss.
Compute resources must be shared across all databases used by the solution.
You need to ensure that authentication requirements are met.
What should you do?
