MicrosoftDocs
diff --git a/‎articles/azure-australia/australia-overview.md
Lines changed: 2 additions & 2 deletions b/‎articles/azure-australia/australia-overview.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/azure-australia/azure-key-vault.md
Lines changed: 9 additions & 9 deletions b/‎articles/azure-australia/azure-key-vault.md
Lines changed: 9 additions & 9 deletions
diff --git a/‎articles/azure-australia/azure-policy.md
Lines changed: 3 additions & 3 deletions b/‎articles/azure-australia/azure-policy.md
Lines changed: 3 additions & 3 deletions
diff --git a/‎articles/azure-australia/gateway-egress-traffic.md
Lines changed: 6 additions & 6 deletions b/‎articles/azure-australia/gateway-egress-traffic.md
Lines changed: 6 additions & 6 deletions
@@ -1,11 +1,11 @@
 ---
 title: What is Azure Australia? | Microsoft Docs
 description: Guidance on configuring Azure within the Australian regions to meet the specific requirements of Australian Government policy, regulations, and legislation.
-author: Galey801
+author: emilyre
 ms.service: azure-australia
 ms.topic: overview
 ms.date: 07/22/2019
-ms.author: grgale
+ms.author: v-emread
 ---
 
 # What is Azure Australia?
 
@@ -1,16 +1,16 @@
 ---
 title: Azure Key Vault in Azure Australia
 description: Guidance on configuring and using Azure Key Vault for key management within the Australian regions to meet the specific requirements of Australian Government policy, regulations, and legislation.
-author: galey801
+author: emilyre
 ms.service: azure-australia
 ms.topic: conceptual
 ms.date: 07/22/2019
-ms.author: grgale
+ms.author: v-emread
 ---
 
 # Azure Key Vault in Azure Australia
 
-The secure storage of cryptographic keys and management of the cryptographic key lifecycle are critical elements within cryptographic systems.  The service that provides this capability in Azure is the Azure Key Vault. Key Vault has been IRAP security accessed and ACSC certified for PROTECTED.  This article outlines the key considerations when using Key Vault to comply with the Australian Signals Directorate’s (ASD) [Information Security Manual Controls](https://acsc.gov.au/infosec/ism/) (ISM).
+The secure storage of cryptographic keys and management of the cryptographic key lifecycle are critical elements within cryptographic systems.  The service that provides this capability in Azure is the Azure Key Vault. Key Vault has been IRAP security accessed and ACSC certified for PROTECTED.  This article outlines the key considerations when using Key Vault to comply with the Australian Signals Directorate's (ASD) [Information Security Manual Controls](https://acsc.gov.au/infosec/ism/) (ISM).
 
 Azure Key Vault is a cloud service that safeguards encryption keys and secrets. Because this data is sensitive and business critical, Key Vault enables secure access to key vaults, allowing only authorized users and applications. There are three main artifacts managed and controlled by Key Vault:
 
@@ -55,11 +55,11 @@ As required by the ISM, proper authentication and authorisation are required bef
 Azure RBAC has one built-in role for Key Vault, [Key Vault Contributor](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#key-vault-contributor), to control management of the Key Vaults. The creation of custom roles aligned to more granular roles for managing your Key Vaults is recommended.
 
 >[!WARNING]
->When access to keys is enabled via Key Vault access policy then the user or application has that access to all keys in the key vault (for example, if a user has ‘delete’ access then they can delete all keys).  Therefore, multiple key vaults should be deployed to align with security domains/boundaries.
+>When access to keys is enabled via Key Vault access policy then the user or application has that access to all keys in the key vault (for example, if a user has 'delete' access then they can delete all keys).  Therefore, multiple key vaults should be deployed to align with security domains/boundaries.
 
 ### Networking
 
-You can configure Key Vault firewalls and virtual networks to control access to the data plane.  You can allow access to users or applications on specified networks while denying access to users or applications on all other networks. [Trusted services](https://docs.microsoft.com/azure/key-vault/key-vault-overview-vnet-service-endpoints#trusted-services) are an exception to this control if “Allow trusted services” is enabled.  The virtual networking control does not apply to the management plane.
+You can configure Key Vault firewalls and virtual networks to control access to the data plane.  You can allow access to users or applications on specified networks while denying access to users or applications on all other networks. [Trusted services](https://docs.microsoft.com/azure/key-vault/key-vault-overview-vnet-service-endpoints#trusted-services) are an exception to this control if "Allow trusted services" is enabled.  The virtual networking control does not apply to the management plane.
 
 Access to Key Vaults should be explicitly restricted to the minimum set of networks that have users or applications requiring access to keys.
 
@@ -78,7 +78,7 @@ Go to the Microsoft Download Center and [download the Azure Key Vault BYOK tools
 
 The ACSC requires Commonwealth entities to use the appropriate Azure services to undertake real-time monitoring and reporting on their Azure workloads.
 
-Logging is enabled by enabling the **_“AuditEvent”_** diagnostic setting on Key Values.  Audit events will be logged to the specified storage account.  **_“RetentionInDays”_** period should be set according to the data retention policy.  [Operations](https://docs.microsoft.com/azure/key-vault/key-vault-logging#interpret) on both the management plane and data plane are audited and logged. The [Azure Key Vault solution in Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/insights/azure-key-vault) can be used to review Key Vault AuditEvent logs.  A number of other Azure services can be used to process and distribute Key Vault AuditEvents.
+Logging is enabled by enabling the **_"AuditEvent"_** diagnostic setting on Key Values.  Audit events will be logged to the specified storage account.  **_"RetentionInDays"_** period should be set according to the data retention policy.  [Operations](https://docs.microsoft.com/azure/key-vault/key-vault-logging#interpret) on both the management plane and data plane are audited and logged. The [Azure Key Vault solution in Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/insights/azure-key-vault) can be used to review Key Vault AuditEvent logs.  A number of other Azure services can be used to process and distribute Key Vault AuditEvents.
 
 ### Key rotation
 
@@ -125,15 +125,15 @@ Key Vault support the following operations on a key:
 
 There is a corresponding set of permissions that can be granted to users, service principals, or applications using Key Vault access control entries to enable them to execute key operations.
 
-Key Vault has a soft delete feature to allow the recovery of deleted vaults and keys. By default, **_"soft delete"_** is not enabled, but once enabled, objects are held for 90 days (the retention period) while appearing to be deleted.  An additional permission **_"purge"_**, allows the permanent deletion of keys if the **_“Purge Protection”_** option is disabled.
+Key Vault has a soft delete feature to allow the recovery of deleted vaults and keys. By default, **_"soft delete"_** is not enabled, but once enabled, objects are held for 90 days (the retention period) while appearing to be deleted.  An additional permission **_"purge"_**, allows the permanent deletion of keys if the **_"Purge Protection"_** option is disabled.
 
 Creating or importing an existing key creates a new version of the key.
 
 ### Cryptographic operations
 
 Key Vault also supports cryptographic operations using keys:
 
-- **sign and verify:** this operation is a “sign hash” or “verify hash”. Key Vault does not support hashing of content as part of signature creation.
+- **sign and verify:** this operation is a "sign hash" or "verify hash". Key Vault does not support hashing of content as part of signature creation.
 - **key encryption/wrapping:** this operation is used to protect another key.
 - **encrypt and decrypt:** the stored key is used to encrypt or decrypt a single block of data
 
@@ -154,7 +154,7 @@ There are three aspects to storage and keys stored in Key Vault:
 - Azure Storage Service Encryption (SSE) for data at rest
 - Managed disks and Azure Disk Encryption
 
-Key Vault’s Azure Storage account key management is an extension to Key Vault’s key service that supports synchronization and regeneration (rotation) of storage account keys.  [Azure Storage integration with Azure Active Directory](https://docs.microsoft.com/azure/storage/common/storage-auth-aad) (preview) is recommended when released as it provides superior security and ease of use.
+Key Vault's Azure Storage account key management is an extension to Key Vault's key service that supports synchronization and regeneration (rotation) of storage account keys.  [Azure Storage integration with Azure Active Directory](https://docs.microsoft.com/azure/storage/common/storage-auth-aad) (preview) is recommended when released as it provides superior security and ease of use.
 SSE uses two keys to manage encryption of data at rest:
 
 - Key Encryption Keys (KEK)
 
@@ -1,11 +1,11 @@
 ---
 title: Security compliance with Azure Policy and Azure Blueprints
 description: Ensuring compliance and enforcing security with Azure Policy and Azure Blueprints for Australian Government agencies as it relates to the ASD ISM and Essential 8
-author: galey801
+author: emilyre
 ms.service: azure-australia
 ms.topic: conceptual
 ms.date: 07/22/2019
-ms.author: grgale
+ms.author: v-emread
 ---
 
 # Security compliance with Azure Policy and Azure Blueprints
@@ -105,7 +105,7 @@ To create an Azure Blueprint, you can start with a blank Blueprint template, or
 
 ![Azure Blueprint Artifacts](media/blueprint-artifacts.png)
 
-These artifacts could include the Azure Resource Group and Resources and associated Azure Policy and Policy Initiatives to enforce the configuration required for your environment to be compliant you’re your regulatory requirements, for example, the ISM controls for system hardening.
+These artifacts could include the Azure Resource Group and Resources and associated Azure Policy and Policy Initiatives to enforce the configuration required for your environment to be compliant you're your regulatory requirements, for example, the ISM controls for system hardening.
 
 Each of these artifacts can also be configured with parameters. These values are provided when the Blueprint has been assigned to an Azure subscription and deployed. Parameters allow for a single Blueprint to be created and used to deploy resources into different environments without having to edit the underlying Blueprint.
 
 
@@ -1,16 +1,16 @@
 ---
 title: Controlling egress traffic in Azure Australia
 description: Key elements of controlling egress traffic in Azure to meet Australian Government requirements for Secure Internet Gateways
-author: galey801
+author: emilyre
 ms.service: azure-australia
 ms.topic: conceptual
 ms.date: 07/29/2019
-ms.author: grgale
+ms.author: v-emread
 ---
 
 # Controlling egress traffic in Azure Australia
 
-A fundamental component of securing ICT systems is controlling network traffic. Restricting communication to only the traffic necessary for a system to function reduces the potential for compromise. Visibility and control over the external systems that your applications and services communicate with helps detect compromised systems, and attempted or successful data exfiltration. This article provides information on how outbound (egress) network traffic works within Azure and provides recommendations for implementing network security controls for an internet connected system that aligns with the Australian Cyber Security Centre (ACSC) Consumer Guidance and the intent of the ACSC’s Information Security Manual (ISM).
+A fundamental component of securing ICT systems is controlling network traffic. Restricting communication to only the traffic necessary for a system to function reduces the potential for compromise. Visibility and control over the external systems that your applications and services communicate with helps detect compromised systems, and attempted or successful data exfiltration. This article provides information on how outbound (egress) network traffic works within Azure and provides recommendations for implementing network security controls for an internet connected system that aligns with the Australian Cyber Security Centre (ACSC) Consumer Guidance and the intent of the ACSC's Information Security Manual (ISM).
 
 ## Requirements
 
@@ -23,13 +23,13 @@ The following key requirements for controlling egress traffic in Azure have been
 Description|Source
 --------------- |------------------
 **Implement Network Segmentation and Segregation**, for example, use an n-tier architecture, using host-based firewalls and network access controls to limit inbound and outbound network connectivity to only required ports and protocols.| [Cloud Computing for Tenants](https://acsc.gov.au/publications/protect/cloud-security-tenants.htm)
-**Implement adequately high bandwidth, low latency, reliable network connectivity** between the tenant (including the tenant’s remote users) and the cloud service to meet the tenant’s availability requirements  | [ACSC Protect: Implementing Network Segmentation and Segregation](https://acsc.gov.au/publications/protect/network_segmentation_segregation.htm)
+**Implement adequately high bandwidth, low latency, reliable network connectivity** between the tenant (including the tenant's remote users) and the cloud service to meet the tenant's availability requirements  | [ACSC Protect: Implementing Network Segmentation and Segregation](https://acsc.gov.au/publications/protect/network_segmentation_segregation.htm)
 **Apply technologies at more than just the network layer**. Each host and network should be segmented and segregated, where possible, at the lowest level that can be practically managed. In most cases, this applies from the data link layer up to and including the application layer; however, in sensitive environments, physical isolation may be appropriate. Host-based and network-wide measures should be deployed in a complementary manner and be centrally monitored. Just implementing a firewall or security appliance as the only security measure is not sufficient. |[ACSC Protect: Implementing Network Segmentation and Segregation](https://acsc.gov.au/publications/protect/network_segmentation_segregation.htm)
-**Use the principles of least privilege and need‐to‐know**. If a host, service, or network doesn’t need to communicate with another host, service, or network, it should not be allowed to. If a host, service, or network only needs to talk to another host, service, or network on a specific port or protocol, it should be restricted to only those ports and protocols. Adopting these principles across a network will complement the minimisation of user privileges and significantly increase the overall security posture of the environment. |[ACSC Protect: Implementing Network Segmentation and Segregation](https://acsc.gov.au/publications/protect/network_segmentation_segregation.htm)
+**Use the principles of least privilege and need‐to‐know**. If a host, service, or network doesn't need to communicate with another host, service, or network, it should not be allowed to. If a host, service, or network only needs to talk to another host, service, or network on a specific port or protocol, it should be restricted to only those ports and protocols. Adopting these principles across a network will complement the minimisation of user privileges and significantly increase the overall security posture of the environment. |[ACSC Protect: Implementing Network Segmentation and Segregation](https://acsc.gov.au/publications/protect/network_segmentation_segregation.htm)
 **Separate hosts and networks based on their sensitivity or criticality to business operations**. This may include using different hardware or platforms depending on different security classifications, security domains, or availability/integrity requirements for certain hosts or networks. In particular, separate management networks and consider physically isolating out-of-band management networks for sensitive environments. |[ACSC Protect: Implementing Network Segmentation and Segregation](https://acsc.gov.au/publications/protect/network_segmentation_segregation.htm)
 **Identify, authenticate, and authorise access by all entities to all other entities**. All users, hosts, and services should have their access to all other users, hosts, and services restricted to only those required to perform their designated duties or functions. All legacy or local services which bypass or downgrade the strength of identification, authentication, and authorisation services should be disabled wherever possible and have their use closely monitored. |[ACSC Protect: Implementing Network Segmentation and Segregation](https://acsc.gov.au/publications/protect/network_segmentation_segregation.htm)
 **Implement allow listing of network traffic instead of deny listing**. Only permit access for known good network traffic (traffic that is identified, authenticated, and authorised), rather than denying access to known bad network traffic (for example, blocking a specific address or service). Allow lists result in a superior security policy to deny lists, and significantly improve your capacity to detect and assess potential network intrusions. |[ACSC Protect: Implementing Network Segmentation and Segregation](https://acsc.gov.au/publications/protect/network_segmentation_segregation.htm)
-**Defining an allow list of permitted websites and blocking all unlisted websites** effectively removes one of the most common data delivery and exfiltration techniques used by an adversary. If users have a legitimate requirement to access numerous websites, or a rapidly changing list of websites; you should consider the costs of such an implementation. Even a relatively permissive allow list offers better security than relying on deny lists, or no restrictions at all, while still reducing implementation costs. An example of a permissive allow list could be permitting the entire Australian subdomain, that is ‘*.au’, or allowing the top 1,000 sites from the Alexa site ranking (after filtering Dynamic Domain Name System (DDNS) domains and other inappropriate domains).| [Australian Government Information Security Manual (ISM)](https://www.cyber.gov.au/ism)
+**Defining an allow list of permitted websites and blocking all unlisted websites** effectively removes one of the most common data delivery and exfiltration techniques used by an adversary. If users have a legitimate requirement to access numerous websites, or a rapidly changing list of websites; you should consider the costs of such an implementation. Even a relatively permissive allow list offers better security than relying on deny lists, or no restrictions at all, while still reducing implementation costs. An example of a permissive allow list could be permitting the entire Australian subdomain, that is '*.au', or allowing the top 1,000 sites from the Alexa site ranking (after filtering Dynamic Domain Name System (DDNS) domains and other inappropriate domains).| [Australian Government Information Security Manual (ISM)](https://www.cyber.gov.au/ism)
 |
 
 This article provides information and recommendations on how network traffic leaving your Azure environment is controlled. It covers systems deployed in Azure using both Infrastructure as a Service (IaaS) and Platform as a Service (PaaS).