Security, Privacy, Compliance, and

Trust
Amrish khari, Assistant Professor
 Unit-3

Security, Privacy, Compliance, and Trust

Overview
Azure provides a wide array of configurable security options and the ability to
control them so that you can customize security to meet the unique requirements of
your organization’s deployments.
One of the best reasons to use Azure for your applications and services is to take
advantage of its wide array of security tools and capabilities. These tools and
capabilities help make it possible to create secure solutions on the secure Azure
platform. Microsoft Azure provides confidentiality, integrity, and availability of
customer data, while also enabling transparent accountability.
Azure security capabilities

• Operations
• Applications
• Storage
• Networking
• Compute and Identity
Azure Secure Operations

Microsoft Sentinel
Microsoft Sentinel is a scalable, cloud-native, security information and event
management (SIEM) and security orchestration, automation, and response (SOAR)
solution. Microsoft Sentinel delivers intelligent security analytics and threat
intelligence across the enterprise, providing a single solution for attack detection,
threat visibility, proactive hunting, and threat response.
Operations Contd..
Microsoft Defender for Cloud
Microsoft Defender for Cloud helps you prevent, detect, and respond to threats with
increased visibility into and control over the security of your Azure resources. It provides
integrated security monitoring and policy management across your Azure subscriptions,
helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of
security solutions.
In addition, Defender for Cloud helps with security operations by providing you a single
dashboard that surfaces alerts and recommendations that can be acted upon immediately.
Often, you can remediate issues with a single click within the Defender for Cloud console.
Application Insights

Application Insights is an extensible Application Performance Management (APM) service for

web developers. It includes powerful analytics tools to help you diagnose issues and to
understand what users actually do with your apps. It monitors your application all the time it's
running, both during testing and after you've published or deployed it.
If there are crashes, failures or performance issues, you can search through the telemetry data in
detail to diagnose the cause. And the service sends you emails if there are any changes in the
availability and performance of your app. Application Insight thus becomes a valuable security
tool because it helps with the availability in the confidentiality, integrity, and availability
security triad.
Application Insights contd..

Azure Monitor
Azure Monitor offers visualization, query, routing, alerting, auto scale, and
automation on data both from the Azure subscription (Activity Log) and each
individual Azure resource (Resource Logs). You can use Azure Monitor to alert you
on security-related events that are generated in Azure logs.
Application Insights contd..
Azure Monitor logs
Azure Monitor logs – Provides an IT management solution for both on-premises and
third-party cloud-based infrastructure (such as AWS) in addition to Azure resources.
Data from Azure Monitor can be routed directly to Azure Monitor logs so you can see
metrics and logs for your entire environment in one place.
Azure Monitor logs can be a useful tool in forensic and other security analysis, as the
tool enables you to quickly search through large amounts of security-related entries
with a flexible query approach. In addition, on-premises firewall and proxy logs can
be exported into Azure and made available for analysis using Azure Monitor logs.
Azure Storage Security
Azure role-based access control (Azure RBAC)
You can secure your storage account with Azure role-based access control (Azure
RBAC). Restricting access based on the need to know and least privilege security
principles is imperative for organizations that want to enforce Security policies for
data access. These access rights are granted by assigning the appropriate Azure role to
groups and applications at a certain scope. You can use Azure built-in roles, such as
Storage Account Contributor, to assign privileges to users. Access to the storage keys
for a storage account using the Azure Resource Manager model can be controlled
through Azure RBAC.
Azure Storage Security

Shared Access Signature

A shared access signature (SAS) provides delegated access to resources in your
storage account. The SAS means that you can grant a client limited permissions to
objects in your storage account for a specified period and with a specified set of
permissions. You can grant these limited permissions without having to share your
account access keys.
Azure Storage Security

Encryption in Transit
Encryption in transit is a mechanism of protecting data when it is transmitted across
networks. With Azure Storage, you can secure data using:
Transport-level encryption, such as HTTPS when you transfer data into or out of
Azure Storage.
Wire encryption, such as SMB 3.0 encryption for Azure File shares.
Client-side encryption, to encrypt the data before it is transferred into storage and to
decrypt the data after it is transferred out of storage.
Azure Storage Security
Encryption at rest
For many organizations, data encryption at rest is a mandatory step towards data privacy,
compliance, and data sovereignty. There are three Azure storage security features that provide
encryption of data that is “at rest”:
Storage Service Encryption allows you to request that the storage service automatically encrypt
data when writing it to Azure Storage.
Client-side Encryption also provides the feature of encryption at rest.
Azure Disk Encryption for Linux VMs and Azure Disk Encryption for Windows VMs allows
you to encrypt the OS disks and data disks used by an IaaS virtual machine.
Azure Networking Security
Network Layer Controls
Network access control is the act of limiting connectivity to and from specific devices
or subnets and represents the core of network security. The goal of network access
control is to make sure that your virtual machines and services are accessible to only
users and devices to which you want them accessible.
Azure Networking Security Contd..
Azure Firewall
Azure Firewall is a cloud-native and intelligent network firewall security service that
provides threat protection for your cloud workloads running in Azure. It's a fully stateful
firewall as a service with built-in high availability and unrestricted cloud scalability.

Azure Firewall is offered in two variants Standard and Premium. Azure Firewall
Standard provides L3-L7 filtering and threat intelligence feeds directly from Microsoft Cyber
Security. Azure Firewall Premium provides advanced capabilities include signature-based
IDPS to allow rapid detection of attacks by looking for specific patterns.
Identity and Access Management (IAM)
What is identity and access management (IAM)?
Identity Access Management gives secure access to company resources—like emails,
databases, data, and applications—to verified entities, ideally with a bare minimum of
interference. The goal is to manage access so that the right people can do their jobs and
the wrong people, like hackers, are denied entry.

With an IAM system, the organization can quickly and accurately verify a person’s
identity and that they have the necessary permissions to use the requested resource during
each access attempt.
How IAM works
There are two parts to granting secure access to an organization’s resources:
Identity management and access management.

Identity management checks a login attempt against an identity management database,

which is an ongoing record of everyone who should have access. This information must be
constantly updated as people join or leave the organization, their roles and projects change,
and the organization’s scope evolves. Here database include employee names, job titles,
direct reports, mobile phone numbers, and personal email addresses.
Matching someone’s login information like their username and password with their identity
in the database is called authentication.
Contd…
Access management is the second half of IAM. After the IAM system has verified that the
person or thing that’s attempting to access a resource matches their identity, access
management keeps track of which resources the person or thing has permission to access.
Most organizations grant varying levels of access to resources and data and these levels are
determined by factors like job title, tenure, security clearance, and project.
Granting the correct level of access after a user’s identity is authenticated is called
authorization.
The goal of IAM systems is to make sure that authentication and authorization happen
correctly and securely at every access attempt.
Advantages of IAM
The right access for the right people
With the ability to create and enforce centralized rules and access privileges, an IAM system
makes it easier to ensure that users have access to the resources they need without making it
possible for them to access sensitive information they don’t need. This is known as
role-based access control (RBAC). RBAC is a scalable way to restrict access to only the
people who need that access to perform their role. Roles can be assigned based on a fixed set
of permissions or custom settings.
Contd…
Unhindered productivity
As important as security is, productivity and user experience are also important. As tempting
as it might be to implement a complicated security system to prevent breaches, having
multiple barriers to productivity like multiple logins and passwords is a frustrating user
experience. IAM tools like single sign-on (SSO) and unified user profiles make it possible to
grant secure access to employees across multiple channels like on-premises resources, cloud
data, and third-party applications without multiple logins.
Contd…
Protection from data breaches
While no security system is infallible, using IAM technology significantly reduces your risk
of data breaches. IAM tools like MFA, passwordless authentication, and SSO give users the
ability to verify their identities using more than just a username and password, which can be
forgotten, shared, or hacked. Expanding user login options with an IAM solution reduces
that risk by adding an additional layer of security to the login process that can’t as easily be
hacked or shared.
Contd…
Data encryption
One of the reasons IAM is so effective at elevating an organization’s security is that many
IAM systems offer encryption tools. These protect sensitive information when it’s
transmitted to or from the organization and features like Conditional Access enable IT
administrators to set conditions such as device, location, or real-time risk information as
conditions for access. This means the data is safe even in the event of a breach because the
data can only be decrypted under verified conditions.
Contd…
Less manual work for IT
By automating IT department tasks like helping people reset their passwords, unlock their
accounts, and monitoring access logs to identify anomalies, IAM systems can save IT
departments time and effort. This frees up the IT department to focus on other important
tasks like implementing a Zero Trust strategy throughout the rest of the organization. IAM is
essential to Zero Trust, which is a security framework built on the principles of verifying
explicitly, using least privileged access, and assuming breach.
Azure Active Directory
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access
management service. It enables users to log into cloud services such as Microsoft 365 and
access resources in Azure, including custom applications that you create and host in Azure.
You can also use Azure AD to provide access for your users to resources hosted
on-premises.
Azure Active Directory is renamed as Microsoft Entra ID which is a directory and identity
management service that operates in the cloud and offers authentication and authorization
services to various Microsoft services like Microsoft 365, Dynamics 365, and Microsoft
Azure.
Features of Azure AD
REST APIs: Azure AD uses Representational State Transfer (REST) APIs to support
communication to other web-based services

Authentication: Azure AD uses cloud-based authentication protocols like OAuth2, SAML,

and WS-Security for user authentication

Network Organization: Each Azure AD instance is called a “tenant” which is a flat

structure of users and groups
Contd…
Entitlement Management: Admins organize users into groups, and then give groups access
to apps and resources.

Devices: Azure AD provides mobile device management with Microsoft Intune

Desktops: Windows desktops can join Azure AD with Microsoft Intune

Servers: Azure AD uses Azure AD Domain Services to manage servers that live in the
Azure cloud virtual machine environment
Data Protection in Microsoft Azure:
Azure provides a range of services and features to help protect data stored and processed
within its cloud environment. Here's how Azure addresses data protection:

Encryption: Azure offers encryption mechanisms to protect data both at rest and in transit.
Azure Storage Service Encryption (SSE) automatically encrypts data stored in Azure Blob
storage, Azure Files, and Azure Queue storage.

Access Controls: Azure Role-Based Access Control (RBAC) allows you to manage access
to Azure resources by assigning permissions to users, groups, and applications. This helps
ensure that only authorized individuals can access sensitive data.
Contd…
Network Security: Azure Virtual Network enables you to isolate and secure your Azure
resources by creating private networks and implementing network security groups (NSGs)
and Azure Firewall to control inbound and outbound traffic.
Data Compliance: Azure services adhere to various compliance standards, such as GDPR,
HIPAA, ISO/IEC 27001, and PCI DSS. Azure Compliance Manager provides tools and
documentation to assess your compliance posture and manage compliance requirements.
Backup and Disaster Recovery: Azure Backup and Azure Site Recovery enable you to
back up data and applications, and replicate workloads to Azure for disaster recovery
purposes, ensuring data availability and business continuity.
Compliance Frameworks in Microsoft Azure:
Azure aligns with a wide range of compliance standards and frameworks to help customers
meet their regulatory and industry-specific requirements. Some key compliance frameworks
include:
GDPR Compliance:The General Data Protection Regulation (GDPR) is a legal framework
that sets guidelines for the collection and processing of personal information from
individuals.
HIPAA Compliance: The Health Insurance Portability and Accountability Act of 1996
(HIPAA) is a federal law that required the creation of national standards to protect sensitive
patient health information from being disclosed without the patient's consent or knowledge.
Contd…
PCI DSS Compliance: Azure services such as Azure Key Vault, Azure Security Center, and
Azure Monitor can help organizations comply with PCI DSS requirements for securing
payment card data and environments.

ISO/IEC 27001 Compliance: Azure itself is certified against ISO/IEC 27001, and it
provides customers with a range of services and features to help build and maintain ISO/IEC
27001-compliant environments, including identity and access management, encryption, and
auditing capabilities.
Azure Governance Methodologies:
Azure Governance encompasses practices and processes for managing Azure resources
effectively, ensuring security, compliance, and cost management.

Azure Policy: Azure Policy enables you to enforce organizational standards and compliance
controls by defining and applying policies across your Azure environment. These policies
can enforce configurations, access controls, and compliance requirements.

Azure RBAC: Role-Based Access Control (RBAC) in Azure allows you to manage access
to Azure resources by granting permissions to users, groups, or applications based on their
roles and responsibilities within your organization.
Contd…
Azure Security Center: Azure Security Center provides unified security management and
advanced threat protection across hybrid cloud workloads. It helps identify and remediate
security vulnerabilities, implement security best practices, and comply with regulatory
requirements.

Azure Cost Management & Billing: Azure Cost Management + Billing provides tools and
insights to monitor, allocate, and optimize Azure spending. It helps you track resource usage,
analyze costs, and implement budgeting and cost control measures to optimize cloud
spending.
www.paruluniversity.ac.in