Understanding Shared Responsibility for Microsoft Azure

Security of the Azure Cloud

Microsoft Azure cloud services provide excellent financial and technical advantages, providing you a route to on-demand deployments of applications and IT resources via the internet with consumption-based pricing. Security is a high priority for deploying on Microsoft, and Azure, and distributes this security responsibilities with you to provide the highest level of protection.


Azure maintains the underlying infrastructure, and you must secure the workloads running on Azure. The security configuration options you choose relies on the sensitivity of your workload and the services you are using in Azure. For Azure infrastructure services, such as Azure VMs and Azure Storage, you have various options around which security regulations you set up. Using Azure VMs, you have total control of when patches are made along with any software you install, meaning you need to protect your systems, and patchin the same way you manage your existing machines today. If you have managed services such as Azure Machine Learning, Azure AppServices or Azure SQL, configuring security controls like patching the guest OS or maintaining instances or applications is nothing to worry about — Microsoft handles that for you. No matter which services you are utilising, it is still essential to understand your responsibilities.

What is Shared Security Responsibility?

The below model shows a breakdown of responsibilities between Microsoft and you:

For IaaS workloads in Azure, Microsoft is liable for securing the foundational services of the cloud, such as database, storage, compute power, and networking services. You’re responsible for the configuration of those services and your data on the cloud. You are responsible for network traffic protection, and any incident reporting. The application security components of your site are also your responsibility.

For PaaS workloads, such as Azure AppServices or SQL, Microsoft is responsible for managing the security of the Host Infrastructure (VMs) and Network Controls (Virtual Networks, Endpoints, and Network Security Groups or Access Control Lists).

Microsoft’s Active Directory and Azure Active Directory can be used to manage the Access Management area. However, this is something you have to implement and configure for your IaaS or PaaS deployments.

Alert Logic has solutions that help your organisation address the areas you are responsible for with your host infrastructure, network controls, application-level controls, and client & endpoint protection.

7 Best Practices for Cloud Security

There are seven essential best practices for cloud security that you should implement to protect yourself from the next vulnerability and/or wide-scale attack:

1. Secure Your Code

Securing code is your responsibility, and applications are an increasingly popular entry point into IT systems. Code that has not been thoroughly tested and secure makes it all the easier for attackers to do harm. Make sure that security is part of your software development lifecycle from the start: testing your libraries, scanning plugins, etc.

2. Create An Access Management Policy

Logins are the keys to your kingdom and should be treated as such. Access management is critical across IaaS, PaaS, and SaaS deployments. Make sure you have a solid access management policy in place, especially concerning those who are granted access temporarily. Integration of all applications and cloud environments into your corporate AD or LDAP centralised authentication model will help with this process, as will two-factor authentication.

3. Adopt a Patch Management Approach

Unpatched software and systems can lead to major issues; keep your environment secure by outlining a process where you update your systems regularly. Consider developing a checklist of essential procedures, and testing all updates to confirm that they do not damage or create vulnerabilities before implementation into your live environment. Microsoft manages this for the PaaS and SaaS services, but it is crucial to understand how they patch these workloads and when that can affect your services.

4. Log Management

Log reviews should be an essential component of your organisation’s security protocols. Logs are now useful for far more than compliance; they have become a powerful security tool. You can use log data to monitor for malicious activity and forensic investigation.

5. Build A Security Tool Kit

No single piece of software is going to handle all of your security needs. You have to implement a defence-in-depth strategy that covers all your responsibilities – Implement IP tables, web application firewalls, antivirus, intrusion detection, encryption, and log management.

6. Stay Informed

Stay informed of the latest vulnerabilities that may affect you. The internet is a wealth of information, so use it to your advantage by searching for the breaches and exploits that are happening in your industry. See the resources below for more details.

7. Understand Your Cloud Service Provider Security Model

Finally, as discussed, get to know your provider, understand where the lines are drawn and plan accordingly. By having a solid security-in-depth strategy, coupled with the right tools and people that understand how to respond, you will put yourself into a position to minimise your exposure and risk.

Resources available to you

Let Excelien keep you up-to-date of the latest developments in the cloud security industry – from emerging security threats to the most recent changes in compliance regulations through a variety of resources, including:

Alert Logic Weekly Threat Report – Subscribe to receive a weekly email of the three most significant breaches of the week from around the globe and the Top 20 malicious IP addresses.

Cloud Security Reports – Updated regularly based on a comparative analysis of security threats across thousands of Alert Logic customers with infrastructures in either enterprise data centres or the cloud environments of more than 20 hosting providers.

Alert Logic Blog – Subscribe to our blog which provides commentary on topics that are related to our technologies, such as log management, threat management and IT compliance management.