Mastering Azure Security, E-Book

Mastering Azure Security

Second Edition

Keeping your Microsoft Azure workloads safe

Mustafa Toroman

Tom Janetscheck

BIRMINGHAM—MUMBAI

Mastering Azure Security

Second Edition

Copyright © 2022 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Vijin Boricha

Publishing Product Manager: Shrilekha Malpani

Senior Editor: Athikho Sapuni Rishana

Content Development Editor: Sayali Pingale

Technical Editor: Arjun Varma

Copy Editor: Safis Editing

Associate Project Manager: Neil Dmello

Proofreader: Safis Editing

Indexer: Tejal Daruwale Soni

Production Designer: Ponraj Dhandapani

Marketing Coordinator: Sanjana Gupta

First published: March 2022

Production reference: 1240322

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

978-1-80323-855-5

www.packt.com

Contributors

About the authors

Mustafa Toroman is a solution architect focused on cloud-native applications and migrating existing systems to the cloud. He is very interested in DevOps processes and cybersecurity, and he is also an Infrastructure as Code enthusiast and DevOps Institute Ambassador. Mustafa often speaks at international conferences about cloud technologies. He has been an MVP for Microsoft Azure since 2016 and a C# Corner MVP since 2020. Mustafa has also authored several books about Microsoft Azure and cloud computing, all published by Packt.

Thanks to my patient wife, who tolerates my never-ending side projects. Without her putting up with me, I would not be able to do a fraction of what I do. I would also like to thank my family for all the support, my mother for making great sacrifices for me to be here today, my father for believing in me, my brother for being who he is. Another thank you to Bakir, my mentor who steered me in the direction I am still on. Thank you to my Infra team; although I left, you are my brothers and the best team in the world. I would like to thank Sasa and Adis for being my faithful advisors. And last but not least, thanks to Tom for being my partner in crime on this one.

Tom Janetscheck is a senior program manager at Microsoft's Cloud Security CxE team for Microsoft Defender for Cloud. Prior to this, he has been working in different internal and external IT and consulting roles for almost two decades, with a strong focus on cloud infrastructure, architecture, and security. As a well-known international conference speaker, tech blogger, and book author, and as one of the founders and organizers of the Azure Saturday community conferences, the former Microsoft MVP is actively taking his experience into international tech communities. In his spare time, Tom is an enthusiastic motorcyclist, scuba diver, guitarist, bassist, rookie drummer, and station officer at a local fire department.

I would like to thank my wife and sons for always supporting me in whatever I do and for being my bastion of calm; I would also like to thank my great friend, Mustafa Toroman, for collaborating on this project, and also thanks to my great friend and team lead, Yuri Diogenes, for always pushing and helping me to overcome limits! Thanks to our wider team's manager, Rebecca Halla, my director, Nicholas DiCola, and our entire Defender for Cloud CxE team: Bojan, Fernanda, Future, Liana, Safeena, Shay, and Stan – you folks definitely rock and it's my pleasure to work with all of you every day! Also, thank you to the entire Defender for Cloud Engineering/Dev teams for your dedication, enthusiasm, and partnership to make Defender for Cloud the great platform it is today. Last but not least, special thanks to Ben Kliger who encouraged me to move out of my comfort zone and to take the step into Defender for Cloud engineering, this move changed my life!

About the reviewer

Matt Hansen is a cloud solution architect at Microsoft who focuses on Azure infrastructure and security. He has been involved in the industry for 15 years as an engineer and architect and has been working with Azure since 2013. Matt serves as a subject matter expert, advisory committee member, and Adjunct Professor for cloud and security technologies.

Matt holds over 50 industry certifications, including CCSP, CISSP, Azure Security Engineer, Azure Network Engineer, and has held all versions of the Azure Solutions architecture certifications. Matt holds a BS in network engineering, an MS in engineering management, and an MS in information systems security.

I attribute much of my accomplishments in life, including this, to my wonderful wife, Heather, who has supported me through everything I've done; I wouldn't be where I am today without you.

I also want to thank Packt for this wonderful opportunity. The world of cybersecurity is ever-changing, and I'm excited to have been a part of this book, enabling organizations to build safe and secure environments on Microsoft Azure.

Table of Contents

Preface

Section 1: Identity and Governance

Chapter 1: An Introduction to Azure Security

Exploring the shared responsibility model

On-premises

IaaS

PaaS

SaaS

Division of security in the shared responsibility model

Physical security

Azure network

Azure infrastructure availability

Azure infrastructure integrity

Azure infrastructure monitoring

Understanding Azure security foundations

Summary

Questions

Chapter 2: Governance and Security

Understanding governance in Azure

Using common sense to avoid mistakes

Using management locks

Using management groups for governance

Understanding Azure Policy

Mode

Parameters

Policy assignments

Initiative definitions

Initiative assignments

Policy exemptions

Policy best practices

Defining Azure blueprints

Blueprint definitions

Blueprint publishing

Azure Resource Graph

Querying Azure Resource Graph with PowerShell

Querying Azure Resource Graph with the Azure CLI

Advanced queries

Summary

Questions

Chapter 3: Managing Cloud Identities

Exploring passwords and passphrases

Dictionary attacks and password protection

Understanding MFA

How to enable MFA in Azure AD

MFA activation from a user's perspective

Introducing security defaults

Using Conditional Access

Named locations

Custom controls

Terms of use

Conditional Access policies

Introducing Azure AD Identity Protection

Azure AD Identity Protection at a glance

Understanding role-based access control

Creating custom RBAC roles

Protecting admin accounts with Azure AD PIM

Managing Azure AD roles in PIM

Managing Azure resources with PIM

Hybrid authentication and Single Sign-On

Understanding passwordless authentication

Global settings

Licensing considerations

Summary

Questions

Section 2: Cloud Infrastructure Security

Chapter 4: Azure Network Security

Understanding Azure Virtual Network

Connecting on-premises networks with Azure

Creating an S2S connection

Connecting a VNet to another VNet

VNet service endpoints

Private endpoints

Considering other VNet security options

Azure Firewall deployment and configuration

Azure DDoS protection

Azure Bastion

Hub-and-spoke network topology

Hub VNet

Understanding Azure Application Gateway

Understanding Azure Front Door

Summary

Questions

Chapter 5: Azure Key Vault

Understanding Azure Key Vault

Understanding access policies

Understanding service-to-service authentication

Understanding managed identities for Azure resources

Using Azure Key Vault in deployment scenarios

Creating an Azure Key Vault and secret

Azure VM deployment

Summary

Questions

Chapter 6: Data Security

Technical requirements

Understanding Azure Storage

Understanding Azure virtual machine disks

Working on Azure SQL Database

Summary

Questions

Section 3: Security Management

Chapter 7: Microsoft Defender for Cloud

Introducing Microsoft Defender for Cloud

Enabling Microsoft Defender for Cloud

Using auto-provisioning to deploy extensions

Enabling Microsoft Defender for Cloud's enhanced security

Cloud Security Posture Management with Defender for Cloud

Working with recommendations

How to prioritize remediation

Working with resource exemptions

Custom policies and (regulatory) compliance

Using the regulatory compliance dashboard

Working with regulatory compliance standards

Cloud workload protection and multi-cloud capabilities

Microsoft Defender for Servers

Microsoft Defender for Containers

Threat detection summary

Automating security

Continuous export

Workflow automation

REST APIs

Multi-cloud capabilities in Microsoft Defender for Cloud

Summary

Questions

Chapter 8: Microsoft Sentinel

Introduction to SIEM

Getting started with Microsoft Sentinel

Configuring data connectors and retention

Working with Microsoft Sentinel dashboards

Setting up rules and alerts

Microsoft Sentinel automation

Creating workbooks

Using threat hunting and notebooks

Advanced threat detection

Using community resources

Summary

Questions

Chapter 9: Security Best Practices

Log Analytics design considerations

Understanding Azure SQL Database security features

Security in Azure App Service

Storage account access keys

Summary

Questions

Assessments

Other Books You May Enjoy

Preface

Security is integrated into every cloud, but most users take cloud security for granted. Revised to cover product updates up to early 2022, this book will help you understand Microsoft Azure's shared responsibility model that can address any challenge, cybersecurity in the cloud, and how to design secure solutions in Microsoft Azure.

Who this book is for

This book is for Azure cloud professionals, Azure architects, and security professionals looking to implement safe and secure cloud services using Azure Security Center and other Azure security features. A fundamental understanding of security concepts and prior exposure to the Azure Cloud will assist with understanding the key concepts covered in the book.

What this book covers

Chapter 1, An Introduction to Azure Security, covers how the cloud is changing the concept of IT, and security is not an exception. Cybersecurity requires a different approach in the cloud, and we need to understand what the differences are, new threats, and how to tackle them.

Chapter 2, Governance and Security, goes into how to create policies and rules in Microsoft Azure in order to create standards, enforce these policies and rules, and maintain quality levels.

Chapter 3, Managing Cloud Identities, explains why identity is one of the most important parts of security. With the cloud, identity is even more expressed than ever before. You'll learn how to keep identities secure and safe in Microsoft Azure and how to keep track of access rights and monitor any anomalies in user behavior.

Chapter 4, Azure Network Security, covers how the network is the first line of defense in any environment. Keeping resources safe and unreachable by attackers is a very important part of security. You'll learn how to achieve this in Microsoft Azure with built-in or custom tools.

Chapter 5, Azure Key Vault, explains how to manage secrets and certificates in Azure and deploy resources to Microsoft Azure with Infrastructure as Code in a secure way.

Chapter 6, Data Security, covers how to protect data in the cloud with additional encryption using Microsoft or your own encryption key.

Chapter 7, Microsoft Defender for Cloud, covers how to use Defender for Cloud to detect threats in Microsoft Azure, on-premises and in other clouds, and how to view assessments, reports, and recommendations in order to increase cloud security.

Chapter 8, Microsoft Sentinel, covers how to use Microsoft Sentinel to monitor security for your Azure and on-premise resources, including detecting threats before they happen and using artificial intelligence to analyze and investigate threats. Using Microsoft Sentinel to automate responses to security threats and stop them immediately is also covered.

Chapter 9, Security Best Practices, introduces best practices for Azure security, including how to set up a bulletproof Azure environment, finding the hidden security features that are placed all over Azure, and other tools that may help you increase security in Microsoft Azure.

To get the most out of this book

You will require the following software, which is open source and free to use, except for Microsoft Azure, which is subscription-based and billed based on usage per minute. However, even for Microsoft Azure, a trial subscription can be used.

If you are using the digital version of this book, we advise you to type the code yourself or access the code via the GitHub repository (link available in the next section). Doing so will help you avoid any potential errors related to the copy/pasting of code.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781803238555_ColorImages.pdf.

Download the example code files

You can download the example code files for this book from GitHub at https://github.com/PacktPublishing/Mastering-Azure-Security-Second-Edition. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in the text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Behind the parameters section, there is a resource section in which the key vault reference is defined."

A block of code is set as follows:

# Grant your user account access rights to Azure Key Vault secrets

Set-AzKeyVaultAccessPolicy '

-VaultName $kvName '

-ResourceGroupName $rgName '

-UserPrincipalName (Get-AzContext).account.id '

-PermissionsToSecrets get, set

Bold: Indicates a new term, an important word, or words that you see on screen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Click on Review + create and after the final validation is passed, click Create."

Tips or Important Notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you've read Mastering Azure Security, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.

Section 1: Identity and Governance

This section deals with cybersecurity in the cloud, as well as how to create and enforce policies in Azure and how to manage and secure identities in Azure.

This part of the book comprises the following chapters:

Chapter 1: An Introduction to Azure Security

When cloud computing comes up in a conversation, security is, very often, the main topic. When data leaves local data centers, many wonder what happens to it. We are used to having complete control over everything, from physical servers, networks, and hypervisors, to applications and data. Then, all of a sudden, we are supposed to transfer much of that to someone else. It's natural to feel a little tension and distrust at the beginning, but, if we dig deep, we'll see that cloud computing can offer us more security than we could ever achieve on our own.

Microsoft Azure is a cloud computing service provided through Microsoft-managed data centers dispersed around the world. Azure data centers are built to top industry standards and comply with all the relevant certification authorities, such as ISO/IEC 27001:2013 and NIST SP 800-53, to name a couple. These standards guarantee that Microsoft Azure is built to provide security and reliability.

In this chapter, we'll learn about Azure security concepts and how security is structured in Microsoft Azure data centers, using the following topics:

Exploring the shared responsibility model

While Microsoft Azure is very secure, the responsibility for building a secure environment doesn't rest with Microsoft alone. Its shared responsibility model divides responsibility between Microsoft and its customers.

Before we can discuss which party looks after which aspect of security, we need to first discuss cloud service models. There are three basic models:

These models differ in terms of what is controlled by Microsoft and the customer. A general breakdown can be seen in the following diagram:

Figure 1.1 – Basic cloud service models

Let's look at these services in a little more detail.

On-premises

In an on-premises environment, we, as users, take care of everything: the network, physical servers, storage, and so on. We need to set up virtualization stacks (if used), configure and maintain servers, install and maintain software, manage databases, and so on. Most importantly, all aspects of security are our responsibility: physical security, network security, host and OS security, and application security for all application software running on our servers.

IaaS

With IaaS, Microsoft takes over some of the responsibilities. We only take care of data, runtime, applications, and some aspects of security, which we'll discuss a little later on.

An example of an IaaS product in Microsoft Azure is Azure Virtual Machines (VM).

PaaS

PaaS gives Microsoft even more responsibility. We only take care of our applications. However, this still means looking after a part of the security. Some examples of PaaS in Microsoft Azure are Azure SQL Database and web apps.

SaaS

SaaS gives a large amount of control away, and we manage very little, including some aspects of security. In Microsoft's ecosystem, a popular example of SaaS is Office 365; however, we will not discuss this in this book.

Now that we have a basic understanding of shared responsibility, let's understand how responsibility for security is allocated.

Division of security in the shared responsibility model

The shared responsibility model divides security into three zones:

Irrespective of the cloud service model, customers will always retain the following security responsibilities:

Similarly, Microsoft always handles the following, in terms of security, for any of its cloud service models:

Finally, there are a few security responsibilities that are allocated based on the cloud service model:

The distribution of responsibility, based on different cloud service models, is shown in the following diagram:

Figure 1.2 – The distribution of responsibility between the customer and service provider for different cloud service models (image courtesy of Microsoft, License: MIT)

Now that we know how security is divided, let's move on to one specific aspect of it: the physical security that Microsoft manages. This section is important as we won't discuss it in much detail in the chapters to come.

Physical security

Everything starts with physical security. No matter what we do to protect our data from attacks coming from outside of our network, it would all be in vain if someone was to walk into data centers or server rooms and take away disks from our servers. Microsoft takes physical security very seriously in order to reduce the risk of unauthorized access to data and data center resources.

Azure data centers can be accessed only through strictly defined access points. A facility's perimeter is safeguarded by tall fences made of steel and concrete. To enter Azure data centers, a person needs to go through at least two checkpoints: first to enter the facility perimeter, and second to enter the building. Both checkpoints are staffed by professional and trained security personnel. In addition to the access points, security personnel patrol the facility's perimeter. The facility and its buildings are covered by video surveillance, which is monitored by security personnel.

After entering the building, two-factor authentication with biometrics is required to gain access to the inside of the data center. If their identity is validated, a person can access only approved parts of the data center. Approval, besides defining areas that can be accessed, also defines periods that can be spent inside these areas. It also strictly defines whether a person can access these areas alone or needs to be accompanied by someone.

Before accessing each area inside the data center, a mandatory metal detector check is performed. To prevent unauthorized data leaving or entering the data center, only approved devices are allowed. Additionally, all server racks are monitored from the front and back using video surveillance. When leaving a data center area, an additional metal detector screening is required. This helps Microsoft make sure that nothing that can compromise its data's security is brought in or removed from the data center without authorization.

A review of physical security is conducted periodically for all facilities. This aims to satisfy all security requirements at all times.

After equipment reaches the end of its life, it is disposed of securely, with rigorous data and hardware disposal policies. During the disposal process, Microsoft personnel ensure that data is not available to untrusted parties. All data devices are either wiped (if possible) or physically destroyed in order to render the recovery of any information impossible.

All Microsoft Azure data centers are designed, built, and operated in a way that satisfies top industry standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1, and SOC 2, to name a few. In many cases, specific region or country standards are followed as well, such as Australia IRAP, UK GCloud, and Singapore MTCS.

As an added precaution, all data inside any Microsoft Azure data center is encrypted at rest. Even if someone managed to get their hands on disks with customers' data, which is virtually impossible with all the security measures, it would take an enormous effort (both from a financial and time perspective) to decrypt any of the data.

But in the cloud era, network security is equally, if not more, important than physical security. Most services are accessed over the internet, and even isolated services depend on the network layer. So, next, we need to take a look at Azure network architecture.

Azure network

Networking in Azure can be separated into two parts: managed by Microsoft and managed by us. In this section, we will discuss the part of networking managed by Microsoft. It's important to understand the architecture, reliability, and security setup of this part to provide more context once we move to parts of network security that we need to manage.

As with Azure data centers generally, the Azure network follows industry standards with three distinct models/layers:

All three models use distinct hardware to completely separate all the layers. The core layer uses data center routers, the distribution layer uses access routers and L2 aggregation (this layer separates L3 routing from L2 switching), and the access layer uses L2 switches.

Azure network architecture includes two levels of L2 switches:

This approach allows for more flexibility and better port scaling. Another benefit of this approach is that L2 and L3 are wholly separated, which allows for the use of distinct hardware for each layer in the network. Distinct hardware minimizes the chances of a fault in one layer affecting another one. The use of trunks allows for resource sharing for better connectivity. The network inside an Azure data center is distributed into clusters for better control, scaling, and fault tolerance.

In terms of network topology, Azure data centers contain the following elements:

Azure networking is built upon highly redundant infrastructure in each Azure data center. Implemented redundancy is need plus one (N+1) or better, with full failover features within, and between, Azure data centers. Full failover tolerance ensures constant network and service availability. From the outside, Azure data centers are connected by dedicated, high-bandwidth network circuits redundantly that connect properties with over 1,200 Internet Service Providers (ISPs) on a global level. Edge capacity across the network is over 2,000 Gbps, which presents an enormous network potential.

Distributed Denial of Service (DDoS) is becoming a huge issue in terms of service availability. As the number of cloud services increases, DDoS attacks become more targeted and sophisticated. With the help of geographical distribution and quick detection, Microsoft can help you mitigate these DDoS attacks and minimize the impact. Let's take a look at this in more detail.

Azure infrastructure availability

Azure is designed, built, and operated to deliver highly available and reliable infrastructure. Improvements are constantly implemented to increase availability and reliability, along with efficiency and scalability. Delivery of a more secure and trusted cloud is always a priority.

Uninterruptible power supplies and vast banks of batteries ensure that the flow of electricity stays uninterrupted in case of short-term power disruptions. In the case of long-term power disruptions, emergency generators can provide backup power for days. Emergency power generators are used in cases of extended power outages or planned maintenance. In cases of natural disasters, when the external power supply is unavailable for long periods, each Azure data center has fuel reserves on-site.

Robust and high-speed, fiber optic networks connect data centers to major hubs. It's important that, along with connections through major hubs, data centers are connected directly. Everything is distributed into nodes, which host workloads closer to users to reduce latency, provide geo-redundancy, and increase resiliency.

Data in Azure can be placed in two separate regions: primary and secondary regions. A customer can choose where the primary and secondary regions will be. The secondary region is a backup site. In each region, primary and secondary, Azure keeps three healthy copies of your data at all times. This means that six copies of the data are available at any time. If any data copy becomes unavailable at any time, it's immediately declared invalid, a new copy is created, and the old one is destroyed.

Microsoft ensures high availability and reliability through constant monitoring, incident response, and service support. Each Azure data center operates 24/7/365 to ensure that everything is running, and all services are available at all times. Of course, available at all times is a goal that, ultimately, is impossible to reach. Many circumstances can impact uptime, and sometimes it's impossible to control all of them. Realistically, the aim is to achieve the best possible Service Level Agreement (SLA) so as to ensure that potential downtime is limited as far as possible. The SLA can vary based on a number of factors and is different per service and configuration. If we take into account all the factors we can control, the best SLA we can achieve would be 99.99%, also known as four nines.

Closely connected to infrastructure availability is infrastructure integrity. Integrity affects the availability terms of deployment, where all steps must be verified from different perspectives. New deployments must not cause any downtime or affect existing services in any way.

Azure infrastructure integrity

All software components installed in the Azure environment are custom built. This, of course, refers to software installed and managed by Microsoft as part of Azure Service Fabric. Custom software is built using Microsoft's Security Development Lifecycle (SDL) process, including operating system images and SQL databases. All software deployment is conducted as part of the strictly defined change management and release management process. All nodes and fabric controllers use customized versions of Windows Server 2019. The installation of any unauthorized software is not allowed.

VMs running in Azure are grouped into clusters. Each cluster contains around 1,000 VMs. All VMs are managed by the Fabric Controller (FC). The FC is scaled out and redundant. Each FC is responsible for the life cycle management of applications running in its own cluster. This includes the provisioning and monitoring of hardware in that cluster. If any server fails, the FC automatically rebuilds a new instance of that server.

Each Azure software component undergoes a build process (as part of the release management process) that includes virus scans using endpoint protection anti-virus tools. As each software component undergoes this process, nothing goes to production without a clean-virus scan. During the release management process, all components go through a build process. During this process, an anti-virus scan is performed. Each virus scan creates a log in the build directory and, if any issues are detected, the process for this component is frozen. Any software components for which the issue is detected undergo inspection by Microsoft security teams in order to detect the exact issue.

Azure is a closed and locked-down environment. All nodes and guest VMs have their default Windows administrator account disabled. No user accounts are created directly on any of the nodes or guest VMs as well. Administrators from Azure support can connect to them only with proper authorization to perform maintenance tasks and emergency repairs.

With all precautions taken to provide maximum availability and security, incidents may occur from time to time. To detect these issues and mitigate them as soon as possible, Microsoft implemented monitoring and incident management.

Azure infrastructure monitoring

All hardware, software, and network devices in Azure data centers are constantly reviewed and updated. Reviews and updates are performed mandatorily at least once a year, but additional reviews and updates are performed as needed. Any changes (to hardware, software, or the network) must go through the release management process and need to be developed, tested, and approved in development and test environments prior to release to production. In this process, all changes must be reviewed and approved by the Azure security and compliance team.

All Azure data centers use integrated deployment systems for the distribution and installation of security updates for all software provided by Microsoft. If third-party software is used, the customer or software manufacturer is responsible for security updates, depending on how the software is provided and used. For example, if third-party software is installed using Azure Marketplace, the manufacturer is responsible for providing updates. If the software is manually installed, then it depends on the specific software. For Microsoft software, a special team within Microsoft, named Microsoft Security Response Center, is responsible for monitoring and identifying any security incident 24/7/365. Furthermore, any incident must be resolved in the shortest possible time frame.

Vulnerability scanning is performed across the Azure infrastructure (servers, databases, and network) at least once every quarter. If there is a specific issue or incident, vulnerability scanning is performed more often. Microsoft performs penetration tests, but also hires independent consultants to perform penetration tests. This ensures that nothing goes undetected. Any security issues are addressed immediately in order to increase security and stop any exploit when the issue is detected.

In case of any security issue, Microsoft has incident management in place. In the event that Microsoft is aware of a security issue, it takes the following action:

Incident management is clearly defined in order to manage, escalate, and resolve all security incidents promptly.

Understanding Azure security foundations

Overall, we can see that with Microsoft Azure, the cloud can be very secure. But it's very important to understand the shared responsibility model as well. Just putting applications and data into the cloud doesn't make it secure. Microsoft provides certain parts of security and ensures that physical and network security is in place. Customers must assume part of the responsibility and ensure that the right measures are taken on their side as well.

For example, let's say we place our database and application in Microsoft Azure, but our application is vulnerable to SQL injection (still a very common data breach method). Can we blame Microsoft if our data is breached?

Let's be more extreme and say we publicly exposed the endpoint and forgot to put in place any kind of authentication. Is this Microsoft's responsibility?

If we look at the level of physical and network security that Microsoft provides in Azure data centers, not many organizations can say that they have the same level in their local data centers. More often than not, physical security is totally neglected. Server rooms are not secure, access is not controlled, and many times there is not even a dedicated server room, but just server racks in some corner or corridor. Even when a server room is under lock and key, no change of management is in place, and no one controls or reviews who is entering the server room and why. On the other hand, Microsoft implements top-level security in its data centers. Everything is under constant surveillance, and every access needs to be approved and reviewed. Even if something is missed, everything is still encrypted and additionally secured. In my experience, this is again something that most organizations don't bother with.

Similar things can be said about network security. In most organizations, almost all network security is gone after the firewall. Networks are usually unsegmented, no traffic control is in place inside the network, and so on. Routing and traffic forwarding are basic or non-existent. Microsoft Azure again addresses these problems very well and helps us have secure networks for our resources.

But even with all the components of security that Microsoft takes care of, this is only the beginning. Using Microsoft Azure, we can achieve better physical and network security than we could in local data centers, and we can concentrate on other things.

The shared responsibility model has different responsibilities for different cloud service models, and it's sometimes unclear what needs to be done. Luckily, even if it's not Microsoft's responsibility to address these parts of security, there are many security services available in Azure. Many of Azure's services have the single purpose of addressing security and helping us protect our data and resources in Azure data centers. Again, it does not stop there. Most of Azure's services have some sort of security features built-in, even when these services are not security-related. Microsoft takes security very seriously and enables us to secure our resources with many different tools.

The tools available