How Azure Security Works

Azure Security documentation shows that Microsoft Azure Security infrastructure operates under a shared security responsibility model. This means security is a joint effort between Azure and the customers, except in an on-premise setting where the customers carry all the responsibilities. However, as customers move into the cloud, some Azure customer security responsibilities are transferred.

This is how the division of responsibilities changes across different cloud service models:

• In IaaS (infrastructure as a service), Azure takes over physical security (hosts, networks, and datacenter).
• In PaaS (platform as a service), Azure takes over physical security and the operating system. Azure shares identity and directory infrastructure, network controls, and applications with the customers.
• In SaaS (software as a service), Azure takes more responsibilities: physical security, operating system, network controls, and application. Azure would still share identity and directory infrastructure with the customer.

In a nutshell, Azure secures the physical infrastructure, then the division of responsibilities changes depending on the cloud delivery model. Customers have more responsibilities in IaaS than in PaaS or SaaS. Regardless of whether it’s on-premise, IaaS, PaaS, or SaaS, customers are always be responsible for these three aspects: data governance and rights management, account and access management, and endpoint protection.

Azure Security Best Practices

The Azure Security documentation is also a handy source for security recommendations and best practices. Here are some tips to get you started quickly:

• Upgrade your Azure subscription to Azure Security Center Standard to enjoy more functionality, like finding and fixing security vulnerabilities, detecting threats with analytics and intelligence, and quick response to an attack.
• Store your keys in the Azure Key Vault. This vault is designed to support passwords, database credentials, and other secrets.
• Install a web application firewall.
• Use Azure MFA (Multi-factor Authentication), especially for admin accounts.
• Encrypt virtual hard disk files.
• Connect Azure VMs (virtual machines) to other networked devices by placing them on Azure virtual networks.
• Use Azure’s DDoS services to prevent and mitigate DDoS (distributed denial of service) attacks.
• Have security policies in place to prevent abuse. To help you get started, Azure can auto-generate a security policy per an Azure subscription.
• Regularly review the Azure Security Center dashboard. The dashboard provides a central view of your Azure resources and recommends actions.
• Implement Azure Security Center’s Role-Based Access Control (RBAC). There are five built-in roles (Subscription Owner, Resource Group Owner, Subscription Contributor, Resource Group Contributor, and Reader) and two unique security roles (Security Administrator and Security Reader). These roles vary in permissions.

Remember that cloud security is a shared responsibility between you and Azure. Depending on the cloud delivery model, the responsibilities you share with Azure will change. Don’t forget too to implement the security practices recommended by Microsoft.

Digital Guardian is a proud member of MISA (Microsoft’s Intelligent Security Association) since 2018. MISA is composed of independent software vendors whose goal is to help users better defend themselves against cyber threats. Check out our cloud data protection solution today by scheduling a demo.