SECURITY CONTROLS FOR ISO 27001 COMPLIANCE

in MICROSOFT AZURE
Security Control Azure Solution Feature

Enable identity and

Microsoft Entra ID Helps secure access to data in on-premises and cloud applications; simplifies the
authentication
(Azure Active Directory) management of users and groups.
solutions

Provides a way to authenticate and authorize users to gain access to web applications and
services without implementing an application-specific authentication system.
Access management for cloud resources is a critical function for any organization that is
• Azure role-based
access control using the cloud.
(Azure RBAC)
• Azure role-based access control (Azure RBAC) helps you manage who has access to
Azure resources, what they can do with those resources, and what areas they have access
to.
• Federation
• Federation allowing for the integration of on-premises environments with Microsoft
Use appropriate • Authentication and
Entra ID for authentication and authorization purposes.
access controls Authorization

• Single Sign-out • Authentication and Authorization mechanisms are fundamental to Microsoft Entra ID,
enabling secure access to applications and resources.
• Security Token Flow
and Transformation • Single Sign-out and Security Token Flow and Transformation functionalities are implicitly
supported through Microsoft Entra ID's comprehensive identity and access management
services.

• Trust Management, Administration, and Automation are also core aspects of Microsoft
• Trust Management Entra ID, with built-in roles for managing Microsoft Entra resources and detailed

1
 documentation on managing user identities, controlling access, and configuring security
• Administration features like self-service password reset.

• Automation
• Conditional Access, a form of advanced access control, provides if-then statements for
• Conditional Access accessing resources, enhancing the authorization capabilities.

Use an industry- Microsoft Antimalware Free real-time protection that helps identify and remove viruses, spyware, and other
recommended for Azure malicious software. It generates alerts when known malicious or unwanted software tries to
enterprise-wide
antimalware install itself or run on your Azure systems. Microsoft Antimalware can also be deployed
solution using Microsoft Defender for Cloud.

• Helps safeguard cryptographic keys and other secrets used by cloud applications
- Azure Key Vault
and services.
• Management Certificates: These certificates are utilized for enabling the use of
Software Development Kit (SDK) tools, Visual Studio, or the Service Management
- Management
REST API. They are stored at the subscription level and are independent of any
certificates
cloud service or deployment. These certificates facilitate secure interaction between
your development environment and Azure services.
• Service Certificates: Assigned at the cloud service level, Service Certificates are
Effective certificate - Service Certificates
utilized by deployed services within Azure. They play a crucial role in securing
acquisition and
communication to and from Azure services, ensuring that data transmitted is
management
encrypted and accessible only to authenticated services.
• SSH Keys: Secure Shell (SSH) Keys are used for authenticating remote connections
- SSH Keys
to Linux virtual machines (VMs) hosted on Azure. They provide a secure way of
logging into a VM over unsecured networks, enhancing the security of remote
machine access by using public-key cryptography.
- Certificates for point-
• Certificates for Point-to-Site and Site-to-Site VPNs: These certificates are necessary
to-site and site-to-site
for authenticating connections in point-to-site and site-to-site Virtual Private
VPNs
Networks (VPNs). They ensure that secure tunnels are established between your
2
 on-premises network and Azure services, or between individual devices and Azure
services, facilitating encrypted and authenticated communication over the internet.
• RDP Connections for Windows VMs: Remote Desktop Protocol (RDP) connections
- RDP connections for to Windows virtual machines use certificates to secure the connection. These
Windows VMs certificates validate the identity of the RDP server to the client and help in
encrypting the data exchanged during the remote session, safeguarding the
remote administration and operation of Windows VMs hosted on Azure.

• Client-Side Encryption: Data is encrypted on the client's side before being sent to
Azure. This method ensures that Azure never has access to the encryption keys, granting
Client-Side Encryption
clients complete control over their data security.

• Server-Side Encryption:
• Service-Managed Keys: Azure automatically encrypts data before storage
Server-Side Encryption
and decrypts upon retrieval, offering a balance between security and
convenience.
• Customer-Managed Keys: Clients can use their own keys for encryption,
offering greater control. This includes BYOK (Bring Your Own Key) and allows for
key generation in Azure Key Vault.
• Customer-Controlled Hardware: Also known as HYOK (Host Your Own Key),
this model provides the highest control level but is more complex and less
widely supported across Azure services.

Encrypt all customer

• Azure Disk Encryption: Uses DM-Crypt for Linux VMs and BitLocker for Windows
data Azure Disk Encryption
VMs, encrypting operating system and data disks. Encryption keys are stored securely in
Azure Key Vault.

3
Azure Storage Service • Azure Storage Service Encryption (SSE): Automatically encrypts data at rest in
Encryption (SSE) Azure Blob storage and file shares using 256-bit AES encryption, ensuring that data is
secure before storage and automatically decrypting it upon access.

Client-Side Encryption • Client-Side Encryption of Azure Blobs: Allows for data encryption within client
of Azure Blobs applications using the Azure Storage Client Library. Integration with Key Vault is supported
for key management.
Azure SQL Database
Encryption • Azure SQL Database Encryption:
• Transparent Data Encryption (TDE): Encrypts SQL data files in real-time at the
page level using AES and 3DES encryption algorithms, enabled by default on new
SQL databases.
• Always Encrypted Feature: Enables data encryption within client applications
before storing it in Azure SQL Database, ensuring that data owners can view the
Azure Cosmos DB data, not those who manage it.
Database Encryption
• Azure Cosmos DB Database Encryption: Automatically encrypts user data in non-
volatile storage with secure key management by Microsoft, with an optional layer of
Data Lake Encryption encryption using customer-managed keys.
• Data Lake Encryption: Supports encryption of data at rest "on by default" with the
option for clients to manage their own encryption keys.
Encryption of Data in
Transit • Encryption of Data in Transit:
• Data-Link Layer Encryption: Uses MACsec for encrypting Azure traffic between
datacentres, ensuring protection against eavesdropping.
• TLS Encryption: Protects data traveling to and from Azure services, with PFS
enhancing security by using unique keys for each connection.
• SMB 3.0 for Azure Files: Supports encryption for secure access across regions
and desktops.

4
 • Key Management with Key Vault: Offers a secure, managed platform for
Key Management with controlling access to encryption keys, allowing organizations to maintain control over their
Key Vault cryptographic keys without the complexity of managing on-premises HSMs.

A process to identify threats and vulnerabilities in software and services, integral to

developing secure applications.

The tool enables anyone to:

• Communicate about the security design of their systems.
• Analyse those designs for potential security issues using a proven methodology.
• Suggest and manage mitigations for security issues.

Here are some tooling capabilities and innovations, just to name a few:
• Automation: Guidance and feedback in drawing a model
Threat modelling Microsoft Security
• STRIDE per Element: Guided analysis of threats and mitigations.
services and Development Lifecycle
• Reporting: Security activities and testing in the verification phase
applications (SDL) Tool
• Unique Methodology: Enables users to better visualize and understand threats.
• Designed for Developers and Centred on Software: many approaches are centred
on assets or attackers. We are centred on software. We build on activities that all software
developers and architects are familiar with -- such as drawing pictures for their software
architecture.
• Focused on Design Analysis: The term "threat modelling" can refer to either a
requirement or a design analysis technique. Sometimes, it refers to a complex blend of the
two. The Microsoft SDL approach to threat modelling is a focused design analysis
technique.

Azure Security centre is a security management tool that allows you to gain insight into
your security state across hybrid cloud workloads, reduce your exposure to attacks, and
Log security events, Azure Security Centre
respond to detected threats quickly.
implement
monitoring, and
5
visualization Azure Operational Azure Operational Insights is an analysis service designed to provide IT administrators with
capabilities Insights deep insight into their on-premises and cloud environments. It helps you interact with
real-time and historical computer data for rapid development of custom insights, while
providing Microsoft- and community-developed patterns for data analysis.

Azure security logging Azure provides a wide array of configurable security auditing and logging options to help
and auditing you identify gaps in your security policies and mechanisms.

The most important types of logs available in Azure: Activity logs, Azure Resource logs,
Microsoft Entra ID reporting, Virtual machines and cloud services, Azure Storage
Analytics, Network security group (NSG) flow logs, Application insight, Process data /
security alerts.

Collects, stores, and analyses log data to enable better-informed decisions and faster
response to incidents.
Operational Insights, as part of the Microsoft Operations Management Suite, is a software
Azure Operational
as a service (SaaS) solution tailored for IT operations teams. This service uses the power of
Insights
Azure HDInsight to collect, store, and analyse log data from virtually any Windows Server
and Linux source, from any datacentre or cloud, and turn it into real-time operational
Determine the root
intelligence to enable better-informed decisions.
cause of incidents

Azure Security Centre (ASC) uses advanced analytics and global threat intelligence to
detect malicious threats, and the new capabilities empower you to respond quickly.
Azure Security Centre
The investigation dashboard contains a visual, interactive graph of entities such as
accounts, machines, and other alerts that are related to the initial alert or incident.
Selecting an entity will show other related entities.
Patch all systems
Azure Security Centre provides a single interface to help understand the deployment of
and ensure security
Azure Security Centre updates and helps manage the distribution and installation of security updates for
updates are
Microsoft software.
deployed

6
 Service and server inventory is about knowing what subscriptions, domains, services,
Azure Resource
networks, and hosts are owned and managed. Keeping track of the services and mitigating
Manager
the risks that come with those services is key for secure operations.

Keep service and Azure Resource Manager helps manage cloud resources through a centralized platform,
server inventory enabling tracking of resources, deployments, and management actions.
current and up to
Microsoft Purview
date Data classification is essential to have an understanding and priority of the data being
compliance portal
protected.
or
You can find data classification in the Microsoft Purview compliance portal or Microsoft
Microsoft Defender
Defender portal > Classification > Data Classification.
portal
Microsoft Security Compliance Toolkit allows enterprise security administrators to
download, analyse, test, edit and store Microsoft-recommended security configuration
Microsoft Security
baselines for Windows and other Microsoft products, while comparing them against other
Compliance Toolkit
security configurations.
Maintain clear
Microsoft Baseline Configuration Analyser can help identify and maintain optimal system
server configuration
configuration by analysing configurations of computers against a predefined set of
with security in mind Microsoft Baseline
baselines designed by the security configuration manager, reporting results of the
Configuration Analyzer
analyses. Best practices are packaged in the form of a best practice model kits. The kits
are set of best practice configurations recommended for customers to use.

Prepared by Mustafa Sepetci