Securing Azure Datacenters

January 31, 2018 Bryan Lloyd

A common misconception about consuming Azure public cloud services is that Microsoft is taking care of all security aspects. Although this is partially true, as a consumer of Azure public cloud services, you are responsible for some of the security controls. The number and areas of security controls you are responsible for depends on which type of public cloud services you are consuming– Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) or Infrastructure-as-a-service (IaaS).

Microsoft will manage most of the security controls within SaaS, a significant portion within of PaaS, and a small portion within IaaS. Conversely, you will need to manage most of the controls within IaaS, some within PaaS and a small portion within SaaS.


Azure PaaS services can be consumed under two models:

  1. Multi-tenant, public IP accessible.
  2. Dedicated virtual network (v-net) integrated.

Multi-tenant PaaS is hosted on virtual infrastructure shared with other customers, whereas PaaS dedicated is provisioned on virtual infrastructure dedicated for your use. With the dedicated v-net integrated model, you are responsible for implementing more security controls; however, as the solution is not publicly accessible over the internet, with appropriate monitoring and governance provides an improved security model.

When securing Azure datacenters, one challenge is to ensure you find the correct balance between enterprise IT governance, security and line-of-business developer agility. One approach to this is to have different standards between production and non-production environments, this way developers can have the freedom to innovate within an environment with fewer controls whilst still having the required governance and controls within the production environment.

The following security pillars in Azure are areas to focus on when implementing your security controls.

  • Encryption

Encrypting data at rest and in-transit ensures that if the network or if data is ever compromised, it will not be possible for an attacker to access the content. Encryption keys should be stored in an Azure Key Vault with lifecycle management.

  • Identity

Ensuring your target operating model matches your Role Based Access Control (RBAC) design, and that a process for segregating duties exists will reduce risk.

  • Software Defined Networking

Making sure workloads of different trust levels are segregated and that traffic visibility is provided to security operation centers are some critical controls.

  • Compliance

IaaS workloads should be hardened to a defined standard with agreed core applications and any deviations should be reported and remediated.

  • Monitoring and Reporting

Proactive monitoring of security controls is important and ideally, auto-remediation of any issues should be the desired outcome.

  • Availability

Availability design is critical in order to meet the recovery time objectives for a wide range of events and ensure applications continue to operate.


The following is a more comprehensive list of security controls and the tools/solutions available within Azure to meet the controls:


      Azure Security Controls                                       Azure Tools and Solutions

Network Subscription and Network Segregation. Subnet and NSG Design, WAF & NGF Firewalls
Monitoring Log Analytics, Azure Monitor, Azure AD, Azure Security Centre, Azure Network Watcher
Virtual Machine Build Compliance Hardening Standards, ARM Templates, DSC Core Application Installation Process, Certification
Cryptography and Secret Management OS Disk Encryption, Key Vault
Vulnerability Scanning Qualys Scanning Appliance and Security Centre agent
System and Software Vulnerability Management SCCM, OMS Patching
Cloud Security Azure Platform and OS Logs sent to SIEM and SOC. OMS, ATA
Identity & Access Management Identity for Portal and Host Access, MFA, Jump Box Design
Malware Protection Deploy chosen Anti-Malware agent as part of build process
User Access Rights Design RBAC model, Azure policy design, reduced elevated privilege use
Backup Encrypted Backups, data restore process
Availability Design, availability sets and zones and backup data centre locations

Contact New Signature to ensure your Azure environment is being designed in a secure manner and that you are meeting the required controls.


Previous Article
New Signature Recognized as Microsoft Azure Expert Managed Service Provider.
New Signature Recognized as Microsoft Azure Expert Managed Service Provider.

New Signature is proud to announce that we have met the requirements of the newly launched Microsoft Azure ...

Next Video
Cloud Management for Azure with New Signature
Cloud Management for Azure with New Signature

New Signature experts cater to your Azure-related requirements offering peace of mind and ensure your cloud...