Azure Security Fundamentals

This document provides an overview of core security concepts and services within Microsoft Azure. Understanding these fundamentals is crucial for building and maintaining a secure cloud environment.

Key Security Principles in Azure

Azure's security model is built upon several key principles:

• Defense in Depth: Implementing multiple layers of security controls to protect data and resources.
• Least Privilege: Granting only the necessary permissions for users and services to perform their tasks.
• Zero Trust: Assuming no user or device can be trusted by default, requiring verification for every access request.
• Shared Responsibility: Understanding the division of security responsibilities between Microsoft and the Azure customer.

Core Azure Security Services

Identity and Access Management (IAM)

Managing who can access what resources and how. Azure's primary IAM service is:

• Azure Active Directory (Azure AD): A cloud-based identity and access management service. It enables users to sign in and access resources, both in Azure and other SaaS applications.

Key features include:

• Multi-Factor Authentication (MFA)
• Conditional Access policies
• Role-Based Access Control (RBAC)
• Identity Protection

Network Security

Protecting your virtual network and resources from unauthorized access and threats.

• Network Security Groups (NSGs): Act as a basic firewall to allow or deny network traffic to and from Azure resources in an Azure Virtual Network.
• Azure Firewall: A managed, cloud-native network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and cloud scalability.
• Azure DDoS Protection: Protects against Distributed Denial of Service (DDoS) attacks.
• Azure Virtual Network: The fundamental building block for your private network in Azure.

Data Protection

Securing your data at rest and in transit.

• Azure Storage Encryption: Data is automatically encrypted at rest using Storage Service Encryption (SSE).
• Azure Key Vault: Securely store and manage secrets, cryptographic keys, and certificates.
• Transparent Data Encryption (TDE): Encrypts SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics data at rest.

Threat Protection

Detecting, investigating, and responding to threats.

• Microsoft Defender for Cloud: A unified infrastructure security management system that strengthens the security posture of your cloud resources. It detects vulnerabilities and threats that might go unnoticed.
• Azure Security Center: Now part of Microsoft Defender for Cloud, it provides security posture management and threat protection for your cloud workloads.

Security Governance and Compliance

Ensuring your cloud environment meets regulatory requirements and internal policies.

• Azure Policy: Helps you enforce organizational standards and assess compliance at scale. It ensures resources conform to your requirements by evaluating them against a defined policy.
• Azure Blueprints: Enables the definition of a repeatable set of Azure resources that implement and adhere to an organization's standards, patterns, and requirements.

Shared Responsibility Model in Azure

Microsoft is responsible for the security of the cloud, which includes the physical security of data centers and the underlying infrastructure. Customers are responsible for security in the cloud, which includes:

• Securing their data
• Securing applications
• Securing identities
• Securing endpoints
• Configuring network controls
• Managing access rights

For more in-depth information on specific services, please refer to the respective documentation sections.