πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-900 Domain 1
Domain 1 β€” Module 3 of 4 75%
3 of 28 overall

SC-900 Study Guide

Domain 1: Security, Compliance & Identity Concepts

  • Security Foundations: Shared Responsibility & Defence-in-Depth Free
  • Zero Trust: Never Trust, Always Verify Free
  • Encryption, Hashing & GRC Free
  • Identity: The New Security Perimeter Free

Domain 2: Microsoft Entra Capabilities

  • Microsoft Entra ID: Your Identity Hub Free
  • Hybrid & External Identities
  • Authentication: Passwords, MFA & Passwordless
  • Password Protection & Self-Service Reset
  • Conditional Access: Smart Access Decisions
  • Entra Roles and RBAC
  • Identity Governance: Entitlements and Access Reviews
  • PIM and Identity Protection

Domain 3: Microsoft Security Solutions

  • Azure Network Defence: DDoS, Firewall & WAF
  • Azure Infrastructure Security: VNets, NSGs, Bastion & Key Vault
  • Microsoft Defender for Cloud
  • Microsoft Sentinel: SIEM Meets SOAR
  • Defender XDR: The Unified Threat Platform
  • Microsoft Defender for Office 365
  • Microsoft Defender for Endpoint
  • Defender for Cloud Apps & Defender for Identity
  • Vulnerability Management & Threat Intelligence

Domain 4: Microsoft Compliance Solutions

  • Service Trust Portal, Privacy Principles & Microsoft Priva
  • The Purview Portal & Compliance Manager
  • Data Classification & Sensitivity Labels
  • Data Loss Prevention (DLP)
  • Records Management & Retention
  • Insider Risk Management
  • eDiscovery & Audit

SC-900 Study Guide

Domain 1: Security, Compliance & Identity Concepts

  • Security Foundations: Shared Responsibility & Defence-in-Depth Free
  • Zero Trust: Never Trust, Always Verify Free
  • Encryption, Hashing & GRC Free
  • Identity: The New Security Perimeter Free

Domain 2: Microsoft Entra Capabilities

  • Microsoft Entra ID: Your Identity Hub Free
  • Hybrid & External Identities
  • Authentication: Passwords, MFA & Passwordless
  • Password Protection & Self-Service Reset
  • Conditional Access: Smart Access Decisions
  • Entra Roles and RBAC
  • Identity Governance: Entitlements and Access Reviews
  • PIM and Identity Protection

Domain 3: Microsoft Security Solutions

  • Azure Network Defence: DDoS, Firewall & WAF
  • Azure Infrastructure Security: VNets, NSGs, Bastion & Key Vault
  • Microsoft Defender for Cloud
  • Microsoft Sentinel: SIEM Meets SOAR
  • Defender XDR: The Unified Threat Platform
  • Microsoft Defender for Office 365
  • Microsoft Defender for Endpoint
  • Defender for Cloud Apps & Defender for Identity
  • Vulnerability Management & Threat Intelligence

Domain 4: Microsoft Compliance Solutions

  • Service Trust Portal, Privacy Principles & Microsoft Priva
  • The Purview Portal & Compliance Manager
  • Data Classification & Sensitivity Labels
  • Data Loss Prevention (DLP)
  • Records Management & Retention
  • Insider Risk Management
  • eDiscovery & Audit
Domain 1: Security, Compliance & Identity Concepts Free ⏱ ~11 min read

Encryption, Hashing & GRC

How data stays secret (encryption), how you verify it hasn't been tampered with (hashing), and how organisations manage security at scale (GRC).

How do we protect data?

β˜• Simple explanation

Encryption is a locked box. Hashing is a fingerprint.

Encryption: You put a letter in a locked box and give the key to the recipient. They unlock it and read the letter. Anyone who intercepts the box can’t read the letter without the key.

Hashing: You take a fingerprint of the letter. You can’t recreate the letter from the fingerprint, but you can check whether someone has changed it by comparing fingerprints. If the fingerprints match, the letter is untampered.

GRC: The rules, checklists, and processes an organisation follows to manage security risks and meet legal requirements.

Encryption transforms readable data (plaintext) into unreadable data (ciphertext) using a cryptographic algorithm and a key. The data can only be decrypted with the correct key. It protects data confidentiality.

Hashing produces a fixed-length output (hash) from any input. It is a one-way function β€” you cannot reverse a hash back to the original data. Hashing verifies data integrity, not confidentiality.

GRC (Governance, Risk, and Compliance) is a framework for managing an organisation’s overall approach to security governance, risk assessment, and regulatory compliance.

Encryption: keeping secrets secret

Symmetric vs asymmetric encryption

Two approaches to encryption
FeatureSymmetricAsymmetric
Keys usedOne shared key (same for encrypt and decrypt)Two keys β€” public key (encrypt) and private key (decrypt)
SpeedFast β€” good for large dataSlower β€” good for small data or key exchange
AnalogyA padlock where both people have the same keyA letterbox β€” anyone can drop mail in (public), only you can open it (private)
ExampleAES encryption for files at restTLS handshake, digital signatures, HTTPS
ChallengeHow do you safely share the key?Slower performance for bulk data

Encryption at rest vs in transit

TypeWhat It ProtectsWhen It AppliesExample
At restStored dataData sitting on a disk, database, or storage accountAzure Storage encryption, BitLocker
In transitMoving dataData travelling across a networkHTTPS/TLS, VPN tunnels

Key exam concept: Microsoft encrypts data at rest by default in Azure and Microsoft 365. Data in transit is protected by TLS. The exam expects you to know both types exist and when each applies.

πŸ’‘ Scenario: Sam protects customer data at BrightStar

BrightStar’s online store processes credit card payments.

  • In transit: When a customer enters their card number, HTTPS (TLS) encrypts it between their browser and Sam’s web server. Anyone intercepting the traffic sees gibberish.
  • At rest: The payment processor stores transaction records encrypted on disk. Even if someone steals the hard drive, they can’t read the data without the encryption key.

Sam doesn’t configure this manually β€” Azure handles encryption at rest by default, and HTTPS is standard for web traffic. But Sam needs to understand WHY both matter.

Hashing: verifying integrity

Hashing takes any input and produces a fixed-length string (the hash or digest). Key properties:

  • One-way: You cannot reverse a hash to get the original input
  • Deterministic: The same input always produces the same hash
  • Avalanche effect: A tiny change in input produces a completely different hash
  • Fixed length: No matter how big the input, the hash is always the same size

Common use cases

Use CaseHow Hashing Helps
Password storageStores hashed passwords, not plaintext. Even if the database leaks, attackers get hashes β€” not passwords.
File integrityDownload a file and compare its hash to the published hash. If they match, the file hasn’t been tampered with.
Digital signaturesHash the document, then encrypt the hash with a private key. The recipient decrypts with the public key to verify authenticity.

Hashing + salting

A salt is random data added to the input before hashing. This prevents two identical passwords from producing the same hash β€” defeating rainbow table attacks.

Key exam concept: The exam tests whether you know the difference between encryption (reversible, protects confidentiality) and hashing (one-way, protects integrity). Passwords should be hashed, not encrypted.

πŸ’‘ Exam tip: encryption vs hashing

If the question asks about protecting confidentiality (keeping data secret) β†’ Encryption.

If the question asks about verifying integrity (confirming data hasn’t changed) β†’ Hashing.

If the question asks about password storage β†’ Hashing (with salting). Never store passwords in plaintext or encrypted form.

Trap question pattern: β€œWhich method allows you to recover the original data?” β†’ Encryption (not hashing β€” hashing is one-way).

GRC: Governance, Risk, and Compliance

GRC is how organisations manage security at a business level β€” not just technical controls, but policies, processes, and accountability.

ComponentWhat It MeansExample
GovernanceThe rules and policies that guide an organisation’s security strategy”All employees must use MFA” β€” set by leadership
RiskIdentifying, assessing, and managing threats to the organisation”What happens if our customer database is breached?” β€” risk assessment
ComplianceMeeting external legal, regulatory, and industry requirementsGDPR (privacy), HIPAA (healthcare), PCI DSS (payment cards)
πŸ’‘ Scenario: BrightStar faces GRC in retail

Sam’s BrightStar Retail handles credit card payments, which means PCI DSS compliance:

  • Governance: Sam creates a security policy requiring MFA for all employees and encrypted payment processing.
  • Risk: Sam identifies that an unsecured Wi-Fi network in the store is a risk to customer card data. They install a separate, isolated network for POS terminals.
  • Compliance: PCI DSS requires regular security scans and access controls. Sam uses Microsoft Compliance Manager to track their progress against these requirements.

GRC is not a product β€” it’s a framework. Microsoft provides tools (Compliance Manager, Purview) to help, but the responsibility for governance and risk decisions stays with the organisation.

🎬 Video walkthrough

🎬 Video coming soon

Encryption, Hashing & GRC β€” SC-900 Module 3

Encryption, Hashing & GRC β€” SC-900 Module 3

~9 min

Flashcards

Question

What is the key difference between encryption and hashing?

Click or press Enter to reveal answer

Answer

Encryption is REVERSIBLE β€” you can decrypt data with the correct key (protects confidentiality). Hashing is ONE-WAY β€” you cannot reverse a hash to get the original data (protects integrity).

Click to flip back
Question

What is the difference between symmetric and asymmetric encryption?

Click or press Enter to reveal answer

Answer

Symmetric: one shared key for both encrypt and decrypt (fast, used for bulk data). Asymmetric: two keys β€” public key encrypts, private key decrypts (used for key exchange and digital signatures).

Click to flip back
Question

What does GRC stand for, and what does each component mean?

Click or press Enter to reveal answer

Answer

Governance = internal policies and rules. Risk = identifying and managing threats. Compliance = meeting external legal and regulatory requirements. GRC is a framework, not a product.

Click to flip back
Question

Why are passwords hashed with a salt instead of just hashed?

Click or press Enter to reveal answer

Answer

A salt adds random data before hashing so identical passwords produce different hashes. This defeats rainbow table attacks where attackers pre-compute hashes for common passwords.

Click to flip back

Knowledge Check

Knowledge Check

BrightStar stores customer passwords in their online store database. Sam wants to ensure that even if the database is compromised, attackers cannot read the passwords. What should Sam use?
Knowledge Check

Sam needs to verify that a software update downloaded from a vendor hasn't been tampered with during transit. Which technology should Sam use?
Knowledge Check

Which GRC component requires BrightStar to follow PCI DSS rules because they process credit card payments?

← Previous

Zero Trust: Never Trust, Always Verify

Next β†’

Identity: The New Security Perimeter

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.