Over a million developers have joined DZone.

Securing Azure Datacenters

DZone 's Guide to

Securing Azure Datacenters

Using Azure for your cloud computing sounds like a good idea because it is. But don't necessarily expect all your security needs to be taken care of.

· Cloud Zone ·
Free Resource

A common misconception about consuming Azure public cloud services is that Microsoft is taking care of all security aspects. Although this is partially true, as a consumer of Azure public cloud services, you are responsible for some of the security controls. The number and areas of security controls you are responsible for depends on which type of public cloud services you are consuming- Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) or Infrastructure-as-a-service (IaaS).

Microsoft will manage most of the security controls within SaaS, a significant portion within of PaaS, and a small portion within IaaS. Conversely, you will need to manage most of the controls within IaaS, some within PaaS and a small portion within SaaS.

Azure PaaS services can be consumed under two models:

  1. Multi-tenant, public IP accessible.
  2. Dedicated virtual network (v-net) integrated.

Multi-tenant PaaS is hosted on virtual infrastructure shared with other customers, whereas PaaS dedicated is provisioned on virtual infrastructure dedicated for your use. With the dedicated v-net integrated model, you are responsible for implementing more security controls; however, as the solution is not publicly accessible over the internet, with appropriate monitoring and governance provides an improved security model.

When securing Azure datacenters, one challenge is to ensure you find the correct balance between enterprise IT governance, security and line-of-business developer agility. One approach to this is to have different standards between production and non-production environments, so developers can have the freedom to innovate within an environment with fewer controls whilst still having the required governance and controls within the production environment.

The following security pillars in Azure are areas to focus on when implementing your security controls.


Encrypting data at rest and in-transit ensures that if the network or if data is ever compromised, it will not be possible for an attacker to access the content. Encryption keys should be stored in an Azure Key Vault with lifecycle management.


Ensuring your target operating model matches your Role Based Access Control (RBAC) design, and that a process for segregating duties exists will reduce risk.

Software Defined Networking

Making sure workloads of different trust levels are segregated and that traffic visibility is provided to security operation centers are some critical controls.


IaaS workloads should be hardened to a defined standard with agreed core applications and any deviations should be reported and remediated.

Monitoring and Reporting

Proactive monitoring of security controls is important and ideally, auto-remediation of any issues should be the desired outcome.


Availability design is critical in order to meet the recovery time objectives for a wide range of events and ensure applications continue to operate.

The following is a more comprehensive list of security controls and the tools/solutions available within Azure to meet the controls.

Azure Security Controls Azure Tools and Solutions

Network Subscription and Network Segregation. Subnet and NSG Design, WAF & NGF Firewalls
Monitoring Log Analytics, Azure Monitor, Azure AD, Azure Security Centre, Azure Network Watcher
Virtual Machine Build Compliance Hardening Standards, ARM Templates, DSC Core Application Installation Process, Certification
Cryptography and Secret Management OS Disk Encryption, Key Vault
Vulnerability Scanning Qualys Scanning Appliance and Security Centre agent
System and Software Vulnerability Management SCCM, OMS Patching
Cloud Security Azure Platform and OS Logs sent to SIEM and SOC. OMS, ATA
Identity & Access Management Identity for Portal and Host Access, MFA, Jump Box Design
Malware Protection Deploy chosen Anti-Malware agent as part of the build process
User Access Rights Design RBAC model, Azure policy design, reduced elevated privilege use
Backup Encrypted Backups, data restore process

Design, availability sets and zones and backup data center locations

azure ,cloud security ,cloud management ,cloud vendor ,cloud ,microsoft

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}