Azure Security

August 8, 2023
AGENDA

• General Azure security

• Storage security
• Database security
• Identity and access management
• Terraform security

CONFIDENTIAL 2
GENERAL AZURE SECURITY
OVERVIEW

CONFIDENTIAL 3
Microsoft Defender for Cloud

• A cloud workload protection

solution that provides security
management and advanced threat
protection across hybrid cloud
workloads.

CONFIDENTIAL 4
Microsoft Sentinel

• A scalable, cloud-
native solution that
delivers intelligent
security analytics and
threat intelligence
across the enterprise.

CONFIDENTIAL 5
Azure Key Vault

• A secure secrets
store for the
passwords,
connection
strings, and
other
information you
need to keep
your apps
working.

CONFIDENTIAL 6
Azure Monitor logs

• A monitoring service that collects telemetry and

other data, and provides a query language and
analytics engine to deliver operational insights
for your apps and resources. Can be used alone
or with other services such as Defender for Cloud.

CONFIDENTIAL 7
STORAGE SECURITY
OVERVIEW

CONFIDENTIAL 8
Azure Storage Service Encryption

• A security feature that automatically encrypts your

data in Azure storage.

CONFIDENTIAL 9
Client-Side encryption for blobs

• A client-side encryption solution that supports

encrypting data within client applications before
uploading to Azure Storage, and decrypting data
while downloading to the client.

CONFIDENTIAL 10
Azure StorSimple Virtual Array

• An integrated storage solution that manages

storage tasks between an on-premises virtual array
running in a hypervisor and Microsoft Azure cloud
storage.

CONFIDENTIAL 11
Azure Storage shared access signatures and Storage
Account Keys
• A shared access signature
(SAS) provides delegated
access to resources in your
storage account.
• Key is access control method
for Azure storage that is used
authorize requests to the
storage account using either
the account access keys or an
Azure Active Directory (Azure
AD) account (default).

CONFIDENTIAL 12
DATABASE SECURITY
OVERVIEW

CONFIDENTIAL 13
Azure SQL Firewall

• A network access
control feature that
protects against
network-based
attacks to database.

CONFIDENTIAL 14
 Azure SQL Connection Encryption and Azure SQL Always
Encrypted
• To provide security, SQL Database controls access with
firewall rules limiting connectivity by IP address,
authentication mechanisms requiring users to prove
their identity, and authorization mechanisms limiting
users to specific actions and data..

CONFIDENTIAL 15
IDENTITY AND ACCESS MANAGEMENT
OVERVIEW

CONFIDENTIAL 16
Azure role-based access control

• An access control feature

designed to allow users
to access only the
resources they are
required to access based
on their roles within the
organization.

CONFIDENTIAL 17
Azure Active Directory B2C

CONFIDENTIAL 18
Azure AD Multi-Factor Authentication

Multi-factor authentication is a process in which users

are prompted during the sign-in process for an
additional form of identification, such as a code on their
cellphone or a fingerprint scan.

CONFIDENTIAL 19
TERRAFORM SECURITY
OVERVIEW

CONFIDENTIAL 20
Secure variables

CONFIDENTIAL 21
 Terraform State encrypting

• Data in Azure Storage is encrypted and decrypted

transparently using 256-bit AES encryption, one of the
strongest block ciphers available, and is FIPS 140-2
compliant. Azure Storage encryption is similar to
BitLocker encryption on Windows.

CONFIDENTIAL 22
State lock

• organization.

CONFIDENTIAL 23
The Lifecycle

• lifecycle is a nested block

that can appear within a
resource block. The
lifecycle block and its
contents are meta-
arguments, available for
all resource blocks
regardless of type.
• The arguments available
within a lifecycle block are
create_before_destroy,
prevent_destroy,
ignore_changes, and
replace_triggered_by.
CONFIDENTIAL 24