Security Pillar
TL;DRβ
The Security pillar focuses on protecting your workload from threats and ensuring compliance with regulations. Key concepts:
- Zero Trust: Never trust, always verifyβauthenticate and authorize every request
- Defense in Depth: Multiple layers of security controls
- Least Privilege: Grant minimum permissions necessary
- Data Protection: Encrypt data at rest and in transit
- Security Operations: Continuous monitoring and incident response
Design Principlesβ
Core Security Principlesβ
| Principle | Description | Implementation |
|---|---|---|
| Zero Trust | Verify explicitly, least privilege, assume breach | Identity verification, micro-segmentation |
| Defense in Depth | Multiple security layers | Network, identity, application, data controls |
| Least Privilege | Minimum necessary permissions | RBAC, JIT access, PIM |
| Shift Left | Security early in development | DevSecOps, security scanning |
| Assume Breach | Plan for compromise | Detection, response, recovery |
Zero Trust Modelβ
Defense in Depthβ
Security Layersβ
Controls by Layerβ
| Layer | Azure Services | Key Controls |
|---|---|---|
| Identity | Entra ID, PIM, Conditional Access | MFA, SSO, identity protection |
| Perimeter | DDoS Protection, Firewall, Front Door | Traffic filtering, rate limiting |
| Network | NSG, Private Link, VNet | Segmentation, private connectivity |
| Compute | Defender for Cloud, Update Management | Vulnerability scanning, patching |
| Application | App Service, API Management | WAF, input validation, CORS |
| Data | Key Vault, Storage encryption | Encryption, access control |
Identity and Access Managementβ
Microsoft Entra ID (Azure AD)β
Authentication Methodsβ
| Method | Security Level | Use Case |
|---|---|---|
| Password only | Low | Legacy (avoid) |
| MFA (SMS) | Medium | Basic protection |
| MFA (Authenticator) | High | Standard enterprise |
| Passwordless (FIDO2) | Very High | High-security scenarios |
| Certificate-based | Very High | Device authentication |
Role-Based Access Control (RBAC)β
RBAC Best Practicesβ
# List role assignments for a resource group
az role assignment list --resource-group myRG --output table
# Assign Reader role to a user
az role assignment create \
--assignee user@example.com \
--role "Reader" \
--resource-group myRG
# Create custom role
az role definition create --role-definition '{
"Name": "VM Operator",
"Description": "Can start and stop VMs",
"Actions": [
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/deallocate/action"
],
"AssignableScopes": ["/subscriptions/{subscription-id}"]
}'
Privileged Identity Management (PIM)β
| Feature | Description |
|---|---|
| Just-in-Time Access | Activate roles only when needed |
| Time-bound | Access expires automatically |
| Approval Workflow | Require approval for sensitive roles |
| Audit Trail | Complete history of privilege usage |
| Access Reviews | Regular review of role assignments |
Network Securityβ
Network Segmentationβ
Network Security Groups (NSG)β
# Create NSG
az network nsg create --name myNSG --resource-group myRG
# Add inbound rule - allow HTTPS
az network nsg rule create \
--nsg-name myNSG \
--resource-group myRG \
--name AllowHTTPS \
--priority 100 \
--direction Inbound \
--access Allow \
--protocol Tcp \
--destination-port-ranges 443
# Add inbound rule - deny all other
az network nsg rule create \
--nsg-name myNSG \
--resource-group myRG \
--name DenyAllInbound \
--priority 4096 \
--direction Inbound \
--access Deny \
--protocol '*' \
--destination-port-ranges '*'
Private Connectivity Optionsβ
| Service | Use Case | Traffic Path |
|---|---|---|
| Private Endpoint | Access PaaS over private IP | VNet β Private IP β PaaS |
| Service Endpoint | Optimized PaaS access | VNet β Azure backbone β PaaS |
| VNet Integration | App Service to VNet | App Service β VNet resources |
| Private Link Service | Expose your service privately | Consumer VNet β Your service |
Private Endpoint Exampleβ
// Bicep - Create Private Endpoint for Storage
resource privateEndpoint 'Microsoft.Network/privateEndpoints@2023-05-01' = {
name: 'pe-storage'
location: location
properties: {
subnet: {
id: subnetId
}
privateLinkServiceConnections: [
{
name: 'storage-connection'
properties: {
privateLinkServiceId: storageAccount.id
groupIds: ['blob']
}
}
]
}
}
resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' = {
name: 'privatelink.blob.core.windows.net'
location: 'global'
}
Data Protectionβ
Encryption Overviewβ
Encryption Optionsβ
| Data State | Service | Key Management |
|---|---|---|
| At Rest | Storage Service Encryption | Microsoft-managed or CMK |
| At Rest | Azure Disk Encryption | Key Vault (BitLocker/DM-Crypt) |
| At Rest | SQL TDE | Service-managed or CMK |
| In Transit | TLS 1.2+ | Certificate management |
| In Use | Always Encrypted | Client-side encryption |
| In Use | Confidential VMs | Hardware-based TEE |
Azure Key Vaultβ
// C# - Using Key Vault for secrets
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
var client = new SecretClient(
new Uri("https://myvault.vault.azure.net/"),
new DefaultAzureCredential());
// Get secret
KeyVaultSecret secret = await client.GetSecretAsync("DatabasePassword");
string connectionString = secret.Value;
// Set secret
await client.SetSecretAsync("ApiKey", "my-api-key-value");
# Azure CLI - Key Vault operations
# Create Key Vault
az keyvault create --name myKeyVault --resource-group myRG --location eastus
# Add secret
az keyvault secret set --vault-name myKeyVault --name "DbPassword" --value "SecretValue123"
# Get secret
az keyvault secret show --vault-name myKeyVault --name "DbPassword" --query value -o tsv
# Enable soft delete and purge protection
az keyvault update --name myKeyVault --enable-soft-delete true --enable-purge-protection true
Data Classificationβ
| Classification | Description | Controls |
|---|---|---|
| Public | No business impact if disclosed | Basic access control |
| Internal | Internal use only | Authentication required |
| Confidential | Business sensitive | Encryption, audit logging |
| Highly Confidential | Severe impact if disclosed | Encryption, MFA, DLP, monitoring |
Application Securityβ
Secure Development Practicesβ
| Practice | Description | Tools |
|---|---|---|
| SAST | Static code analysis | SonarQube, CodeQL, Checkmarx |
| DAST | Dynamic application testing | OWASP ZAP, Burp Suite |
| SCA | Dependency scanning | Dependabot, Snyk, WhiteSource |
| Secret Scanning | Detect leaked secrets | GitHub Secret Scanning, GitLeaks |
| Container Scanning | Image vulnerability scanning | Trivy, Aqua, Defender for Containers |
OWASP Top 10 Mitigationsβ
| Vulnerability | Mitigation | Azure Service |
|---|---|---|
| Injection | Parameterized queries, input validation | WAF, API Management |
| Broken Auth | MFA, session management | Entra ID, B2C |
| Sensitive Data | Encryption, masking | Key Vault, Always Encrypted |
| XXE | Disable external entities | WAF rules |
| Broken Access | RBAC, authorization checks | Entra ID, custom middleware |
| Misconfiguration | Security baselines, scanning | Defender for Cloud |
| XSS | Output encoding, CSP | WAF, CDN headers |
| Deserialization | Input validation, type checking | Custom code |
| Components | Dependency scanning, updates | Dependabot, Defender |
| Logging | Centralized logging, monitoring | Log Analytics, Sentinel |
Web Application Firewall (WAF)β
// Bicep - Application Gateway with WAF
resource appGateway 'Microsoft.Network/applicationGateways@2023-05-01' = {
name: 'appgw-waf'
location: location
properties: {
sku: {
name: 'WAF_v2'
tier: 'WAF_v2'
}
webApplicationFirewallConfiguration: {
enabled: true
firewallMode: 'Prevention'
ruleSetType: 'OWASP'
ruleSetVersion: '3.2'
disabledRuleGroups: []
requestBodyCheck: true
maxRequestBodySizeInKb: 128
}
// ... other configuration
}
}
Security Operationsβ
Microsoft Defender for Cloudβ
Security Monitoring Stackβ
| Service | Purpose | Data Type |
|---|---|---|
| Defender for Cloud | Posture management, threat protection | Security findings |
| Microsoft Sentinel | SIEM and SOAR | Security events, incidents |
| Log Analytics | Log aggregation and analysis | All logs |
| Azure Monitor | Metrics and alerts | Performance, availability |
Security Alerts and Responseβ
// KQL - Query security alerts in Log Analytics
SecurityAlert
| where TimeGenerated > ago(24h)
| where AlertSeverity == "High"
| summarize Count = count() by AlertName, ProviderName
| order by Count desc
// Query failed sign-ins
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType != 0
| summarize FailedAttempts = count() by UserPrincipalName, IPAddress
| where FailedAttempts > 5
| order by FailedAttempts desc
Governance and Complianceβ
Azure Policy for Securityβ
// Azure Policy - Require HTTPS for Storage
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
"notEquals": true
}
]
},
"then": {
"effect": "deny"
}
}
}
Compliance Frameworksβ
| Framework | Description | Azure Support |
|---|---|---|
| SOC 2 | Service organization controls | Compliance Manager |
| ISO 27001 | Information security management | Built-in policies |
| PCI DSS | Payment card industry | Regulatory compliance |
| HIPAA | Healthcare data protection | BAA available |
| GDPR | EU data protection | Data residency, DPAs |
| FedRAMP | US government cloud | Azure Government |
Security Checklistβ
Identity & Accessβ
- Enable MFA for all users
- Implement Conditional Access policies
- Use Privileged Identity Management for admin roles
- Review and remove unused permissions
- Use managed identities for Azure resources
Network Securityβ
- Implement network segmentation
- Use Private Endpoints for PaaS services
- Configure NSGs with deny-by-default
- Enable DDoS Protection for public endpoints
- Deploy Web Application Firewall
Data Protectionβ
- Enable encryption at rest for all data stores
- Enforce TLS 1.2+ for all connections
- Store secrets in Key Vault
- Implement data classification
- Configure backup and retention policies
Security Operationsβ
- Enable Defender for Cloud
- Configure security alerts and notifications
- Implement centralized logging
- Create incident response procedures
- Conduct regular security assessments
Assessment Questionsβ
| Area | Question |
|---|---|
| Identity | Is MFA enforced for all users? |
| Access | Do you follow least privilege principles? |
| Network | Are PaaS services accessed via private endpoints? |
| Data | Is all sensitive data encrypted? |
| Secrets | Are secrets stored in Key Vault? |
| Monitoring | Do you have security monitoring in place? |
| Compliance | What compliance frameworks apply? |
| Incident Response | Do you have an IR plan? |
Key Takeawaysβ
- Zero Trust: Verify every request, regardless of source
- Defense in Depth: Multiple layers prevent single points of failure
- Least Privilege: Grant minimum necessary permissions
- Encrypt Everything: Data at rest, in transit, and in use
- Monitor Continuously: Detect and respond to threats quickly