table of contents
- 01.What is Microsoft Azure?
- 02.Fundamental Security Concepts in Azure
- 03.Azure Security Features
- 04.Security measures provided by Azure
- 05.Why Azure requires additional security measures
- 06.How to strengthen Azure security
- 07.For secure operation of Microsoft Azure, use “Microsoft Azure Security Assessment”.
- 08.summary
Microsoft Azure is a cloud platform provided by Microsoft, primarily a public cloud service that allows users to access IT resources such as servers, databases, and AI via the internet.
To protect the information assets held by client companies, a wide range of security features are provided, including ID and access management, data protection, and network security.
On the other hand, for some security areas, the service is operated under a “shared responsibility model” in which the service provider (Microsoft) and the user share responsibility, so users are also required to exercise caution.
This article focuses on “Microsoft Azure Security,” explaining the security features and characteristics provided.
â–¼What you will learn from this article
- Azure Security Basic Concepts
- Azure Security Features
- Azure’s standard security measures
- How to strengthen Azure security
If your company or organization is considering implementing Microsoft Azure or wants to learn more about its security features, please read on.
This article also introduces “Microsoft Azure Security Assessment,” which supports the secure use of Microsoft Azure by businesses and organizations. Please check it out as well.
What is Microsoft Azure?
Microsoft Azure is a cloud platform provided by Microsoft.
Primarily offered as a public cloud, it allows users to access numerous services such as servers, storage, databases, AI, and analytics platforms via the internet.
By adopting Microsoft Azure, companies can utilize IT infrastructure only as needed, without having to own and manage their own physical servers, enabling them to build and expand systems flexibly and quickly.
Furthermore, various security features are available to protect corporate data, applications, and other information assets from cyberattacks, ensuring both convenience and security.
On the other hand, because Microsoft Azure employs a “shared responsibility model,” the user company is responsible for certain areas, such as configuration and access management.
If there are any configuration errors, it could lead to a serious security incident, so it is important for companies using the system to continuously check for any configuration deficiencies.
We will explain this in more detail in the next section.
Fundamental Security Concepts in Azure
Microsoft Azure employs key security principles to ensure the safe operation of its cloud environment.
These are not simply features provided as an added benefit, but rather based on fundamental design principles for securely operating the cloud.
Before we look at the specific security features, let’s first examine the philosophy behind how Microsoft Azure provides its security features.
defense in depth
Microsoft Azure employs a “multi-layered defense” approach, providing layers of protection for each layer, from physical data centers to identity, networking, computing, applications, and data.
Multi-layered defense is a security measure that protects information assets from cyberattacks, insider threats, and other threats by implementing different defense strategies in multiple areas within a system.
This means that even if one layer of defense is breached, the damage can be prevented from spreading through other layers.
In cloud environments, system configurations tend to be complex, making this multi-layered security design particularly important.
Zero Trust
Microsoft Azure employs a zero-trust security model based on the following three fundamental principles:
| Explicitly verify | Always perform authentication and authorization based on all available information. |
|---|---|
| Use least privileged access . |
– Limit user access permissions to the minimum necessary. |
| Assume breach | – Minimize the scope of impact and segment access. – Verify end-to-end encryption and enhance threat detection and defense. |
Zero Trust re-examines the traditional perimeter-based security concepts, which assume that “access from the internal network is safe” and “once authenticated, it is trustworthy,” and instead adopts a philosophy of strict authentication and authorization for all users and all access.
With the widespread use of cloud computing and remote work, the boundaries between internal and external networks have become blurred, making it difficult to ensure sufficient security with traditional perimeter-based defenses alone.
Therefore, Microsoft Azure places great importance on mechanisms that control access while comprehensively evaluating users, devices, and access status.
Specifically, by utilizing features such as multi-factor authentication and conditional access, it is possible to verify the user’s identity and the security of their environment, and then grant only the minimum necessary permissions.
By verifying all access attempts under the assumption of “not trusting them,” the risk of unauthorized access and data breaches can be reduced.
Shared Responsibility Model
Microsoft Azure employs a “shared responsibility model,” where responsibility for certain security areas is shared between the service provider (Microsoft) and the user.
The scope of responsibility varies depending on the IaaS, PaaS, and SaaS deployment model.
A helpful way to understand the division of responsibilities is to think of it this way: “Microsoft” is responsible for the areas that users cannot directly manage, and “the user” is responsible for the areas that users can directly manage.
The following is an example of how responsibilities may be divided.
| Microsoft’s responsibility | • Physical data center (facilities, power supply, etc.) • Physical servers and hardware • Network infrastructure (physical network) • Virtualization layer (hypervisor, etc.) |
|---|---|
| User responsibility | • Data management and protection • User management (ID, password, multi-factor authentication) • Access permissions • Application and OS settings • Security settings (network control, policies, etc.) |
As this shows, while Microsoft Azure provides a strong security foundation, it does not guarantee security in all areas.
To use cloud services securely, companies and organizations using them are required to implement appropriate access control settings, enforce security policies, and regularly check permissions and settings, continuously managing them according to their own usage patterns.
When using Microsoft Azure, it is crucial to properly understand this shared responsibility model and establish an operational structure accordingly.
Azure Security Features
Microsoft Azure is used by businesses and government agencies worldwide, and based on the aforementioned security concepts, it has mechanisms and operational structures in place to enhance security.
This section introduces some of the key security features of Microsoft Azure.
Supports numerous international compliance certifications.
To build a secure cloud environment, meeting international standards for data handling and management is a crucial criterion.
Microsoft Azure has obtained over 100 compliance certifications.
â–¼Examples of major compliance certifications and standards
- ISO 27001
- ISO 27017
- FedRAMP
- SOC1/SOC2/SOC3
- PCI DSS
- ISMAP
Because it has obtained these certifications, Microsoft Azure is a cloud service with a high level of security and offers the advantage of being able to comply with legal regulations and industry requirements in multiple countries and regions.
Physical security measures are also thoroughly implemented.
Another key feature of Microsoft Azure is that its data centers, which form the foundation of the cloud, are operated under a rigorous management system.
Cloud services are accessed via the internet, but the actual data is managed in physical data centers.
Therefore, security measures at the facility level are also extremely important from the perspective of ensuring security.
Microsoft Azure data centers ensure security from multiple perspectives, including access control, monitoring systems, equipment redundancy, and disaster recovery measures.
In particular, access to the data center is strictly controlled, and users without prior authorization cannot freely enter.
Access is controlled in stages across multiple security layers, including the area around the facility, the area around the building, and inside the building.
For example, the following security measures are in place:
| Before arrival | – You must demonstrate the business justification for the visit and apply for access in advance. |
|---|---|
| Surroundings of the facility | – You must pass through a clearly defined access point. |
| Inside the building | – Moving around the building requires passing a two-factor authentication process using biometrics. |
| Each floor of the data center | – Access is limited to floors where entry has been approved. – You must pass a metal detector screening. |
These management functions are operated under unified standards by Microsoft, the provider of Microsoft Azure, and are monitored and managed 24/7.
Security measures provided by Azure
Microsoft Azure provides a variety of security features as standard to ensure the safe use of the cloud environment.
By utilizing these features, you can properly protect your company’s information assets.
This article explains the key security measures and features available in Microsoft Azure.
- Network Security
- ID management
- Data protection and encryption
- Threat countermeasures
- Security management and monitoring
- compliance
Let’s take a closer look.
Network Security
Microsoft Azure offers a variety of features to protect your network from external attacks and unauthorized access.
Specifically, by using a virtual network (Azure Virtual Network), you can build a logically isolated, company-specific network environment on the cloud.
Furthermore, Azure Firewall and Network Security Groups (NSGs) can be used to control communications, enabling access control that allows only authorized communications to pass through.
Furthermore, Azure DDoS Protection is provided as a countermeasure against attacks from the internet, and a mechanism is in place to prevent service disruptions (DDoS attacks) caused by large amounts of traffic.
â–¼Typical network security features
| Azure Virtual Network | – A fundamental component of private networks in Azure, allowing for logical network isolation by assigning IP addresses and subnets. – Enables control over connectivity to other virtual networks and the internet (other Azure users cannot access them). |
|---|---|
| Azure Firewall | • Fully managed network firewall service to protect virtual networks . • Real-time threat alerts, scalable firewall, TLS inspection, and centralized security management enable advanced security measures. |
| Network Security Group (NSG) | – Access control function that allows or denies communication at the subnet or virtual machine level. – Fine-grained communication control based on port numbers and IP addresses is also possible. |
| Azure DDoS Protection | – Features that protect applications and services from DDoS attacks (Distributed Denial of Service) attacks. – Automatically detects and mitigates abnormal traffic, maintaining service availability. |
By combining and utilizing these functions, it is possible to achieve multi-layered defense at the network layer.
ID management
In a cloud environment, it is crucial to properly manage “who has access to which resources.”
Microsoft Azure provides Microsoft Entra ID (formerly Azure Active Directory) as the foundation for identity and access management.
Microsoft Entra ID allows you to centrally manage users and groups, implement single sign-on (SSO), and perform multi-factor authentication (MFA).
Furthermore, role-based access control (RBAC) allows you to assign appropriate permissions to each user for resources on Azure, reducing the risk of errors and unauthorized access by granting only the minimum necessary access privileges.
Furthermore, by utilizing conditional access mechanisms, flexible access control becomes possible based on factors such as the location of access, the state of the device, and the user’s risk level, leading to the realization of zero-trust security.
Data protection and encryption
Microsoft Azure provides encryption features as standard to protect data at rest and transmitted data.
Additionally, Azure Key Vault is provided as a service for securely managing encryption keys and secrets.
Furthermore, features such as Azure Backup and Azure Site Recovery are available for backup and disaster recovery, and by utilizing them, it is possible to establish a system that can quickly restore data and systems in the event of failures or accidents.
â–¼Typical data protection and encryption features
| Azure Key Vault | – Securely store secret information such as tokens, passwords, certificates, and API keys, and strictly control access. |
|---|---|
| Azure Backup | – In addition to virtual machines and data on Azure, it is possible to take and manage backups of data in on-premises environments. – Backup data is stored in an isolated environment (backup vault), so it is less susceptible to data tampering or deletion in the event of failures or attacks such as ransomware, and rapid recovery is possible. |
| Azure User Recovery | – In the event of a disaster, business operations can be continued by failing over the system to another region (geographic area). – Replication protects data and maintains a state where rapid recovery is possible.* |
This reduces the risk of data loss and service interruptions.
* Failover: A mechanism that switches to a standby system to continue service when a failure occurs in the active system.
* Replication: A mechanism that copies system data to another location or system so that it can be recovered in the event of a failure.
Threat countermeasures
Microsoft Azure provides features to protect your systems from threats such as cyberattacks and unauthorized access.
A prime example of this service is Microsoft Defender for Cloud, which provides visibility into the overall security of the cloud environment, enabling features such as detecting misconfigurations, identifying vulnerabilities, and detecting suspicious behavior.
Furthermore, it provides a function to detect threats such as malware and unauthorized access to various resources such as virtual machines, databases, and containers, and notify users as alerts.
Furthermore, in recent years, AI-powered security features have been enhanced, enabling detection of applications including generated AI, identification of vulnerabilities, risk assessment, and detection of threats targeting AI workloads.
This allows for the early identification of potential risks and the implementation of swift countermeasures.
Security management and monitoring
The system also provides security management and monitoring functions to continuously monitor system status and logs, and to detect and analyze anomalies.
Azure Monitor allows you to collect and visualize infrastructure, applications, and metrics, enabling anomaly detection and alert notifications.
Furthermore, by leveraging Microsoft Sentinel, you can perform threat analysis and correlation analysis based on collected logs, enabling automated incident response and advanced security monitoring.
This enables integrated management from monitoring to threat detection and response, leading to increased efficiency and enhanced security operations.
compliance
Microsoft Azure also provides features to support compliance management and governance, enabling businesses to meet required legal regulations and industry standards.
For example, services such as Microsoft Purview and Compliance Manager can be used to visualize and classify data, assess risks, and manage compliance status.
Furthermore, Microsoft Purview also supports data protection and risk management for applications that include generative AI, helping to prevent information leaks and ensure compliance when using AI.
Furthermore, as mentioned earlier, Microsoft Azure supports many international certifications and auditing standards, allowing companies to design and operate their cloud environments in accordance with these standards.
This allows for the continuous maintenance and improvement of compliance across the entire organization.
Why Azure requires additional security measures
As mentioned above, Microsoft Azure comes standard with advanced security features and protection mechanisms.
By utilizing these appropriately, it is possible to ensure a high level of safety.
However, because Microsoft Azure operates under a “shared responsibility model,” the user company is responsible for its configuration and operational management.
Therefore, companies and organizations are required to establish security measures and operational systems to ensure the safe use of Microsoft Azure.
Security incidents caused by misconfigurations are considered a major risk, especially in cloud environments.
Because Microsoft Azure is highly flexible and offers many features and configuration options, if access permissions, network exposure settings, and storage exposure settings are not properly managed, it may unintentionally become accessible from outside.
Furthermore, in recent years, identity breaches have increasingly been exploited as an attack vector in cyberattacks.
Attackers not only directly target system vulnerabilities, but also attempt to hijack user accounts through phishing and other means, and then try to access the cloud environment as legitimate users.
In the cloud, since an identity serves as the gateway to many resources, thorough account management, enhanced authentication, and the implementation of multi-factor authentication are crucial to prevent unauthorized logins.
Furthermore, in terms of operations, monitoring and security measures often become dependent on specific individuals.
If tasks such as checking logs, responding to alerts, and managing configuration changes become dependent on specific individuals, the risk of delayed or overlooked incident detection increases.
Because cloud environments are constantly changing, security cannot be a one-time setup; regular reviews and the establishment of monitoring systems are essential.
While Microsoft Azure boasts robust security features, maintaining that security requires proper configuration and continuous operational management.
Regularly checking configuration status, strengthening ID management, and establishing monitoring systems are crucial measures to enhance cloud security, as they are tailored to your company’s specific usage environment.
How to strengthen Azure security
To use Microsoft Azure securely, it is important not only to properly utilize the standard security features provided, but also to ensure security in areas for which the company or organization is responsible.
Here are five measures that companies and organizations should implement to ensure and maintain safety in areas for which they are responsible.
Let’s take a closer look.
Setting up multi-factor authentication
One of the important measures for ensuring the security of cloud environments is strengthening authentication through multi-factor authentication (MFA).
In recent years, identity breaches have increasingly become a primary attack vector in cyberattacks, and authentication methods that rely solely on IDs and passwords carry a high risk of account hijacking through phishing and password list attacks.
Therefore, by requiring additional authentication factors (such as a smartphone authentication app or one-time code) in addition to the ID and password when logging in, the risk of unauthorized login by a third party can be significantly reduced even if the password is stolen.
In Microsoft Azure, multi-factor authentication can be set up through Microsoft Entra ID, the identity management platform, and it is important to gradually apply it not only to administrator accounts but also to regular users.
Implementation of Role-Based Access Control (RBAC)
In a cloud environment, it is crucial to properly manage “who has access to which resources.”
Granting access permissions beyond what is necessary increases the risk of information theft and data breaches due to account hijacking.
To address these challenges, Microsoft Azure provides a mechanism called Role-Based Access Control (RBAC), which allows you to grant only the necessary permissions on a resource-by-resource basis to each user or group.
By properly implementing this system, it is possible to prevent the granting of excessive authority and reduce the risks caused by errors or internal fraud.
Handling administrator privileges requires particular care, and a design that separates permissions by role is recommended.
Setting up conditional access
Conditional access is also an effective means of achieving more sophisticated access control.
Conditional access is a mechanism that controls access based on factors such as the user’s login status, device status, and location of access.
For example, this allows you to implement operations such as “requiring additional authentication only when accessing from overseas” or “applying strict authentication policies to administrator accounts.”
This makes it possible to prevent high-risk logins and reduce the risk of unauthorized access.
Introduction of WAF
If you are exposing your web application to the internet, implementing a Web Application Firewall (WAF) is one effective measure to take.
A Web Application Firewall (WAF) plays a role in detecting and defending against attacks targeting web applications, such as SQL injection and cross-site scripting (XSS).
Microsoft Azure allows you to use WAF in combination with Azure Application Gateway and other services to enhance the protection of web services exposed to the internet.
This is a particularly important security measure for systems that are publicly accessible.
Implementation of external security services
For some companies and organizations, it can be difficult to monitor their cloud environment and manage security operations on their own.
In such cases, utilizing external security services or support from specialized companies is a valid option.
Specifically, by utilizing services such as cloud configuration diagnostics, 24/7 monitoring, and incident response support, it becomes possible to detect configuration errors early and respond quickly.
In particular, because cloud environments undergo continuous configuration changes, establishing a system for continuous monitoring and security assessment is crucial for ensuring long-term security.
