Azure Security is a combination of best practices and a combination of services and products configured by admins to protect identities and services.
Security in Azure starts by building your directory (Azure AD) and assigning the corresponding roles to your cloud users, using the least privilege either by assigning from a multiple built in roles created for the most common task-oriented users or by creating a custom one that will fit your roles requirements. You will use the Role Based Access Control (RBAC) to assign the roles.
It is important to consider the Hierarchy with RBAC, because assigning a role at a specific level will inherit the permissions down the hierarchy:
At the resource level, you are going to find security options to configure depending on the resource type, common setting are:
Encryption
For resource that store data like Storage Accounts and Databases, those type of resources manage by default data encryption at rest with the option to encrypting with your own key (BYOK).
Key Vault
Is a service included in your subscription to protect secrets like Passwords, Keys, Connection Strings and Certificates.
Network Security
The Vnets that you configure includes a Network Security Group (NSG), you are going to create Inbound and Outbound rules to allow or deny specific traffic.
DDos Protection
This is a feature that you can set at your Vnets to protect against the Distributed Denial Of Service attacks.
Azure Firewall
A service that you can configure to protect your cloud network infrastructure.
Security Center
For a complete set of security controls, management, and reports, you can turn on Azure Security Center. This service will consolidate all the security settings from your subscription, even in a hybrid environment in a single console. You will find secure scores that will provide you updated information about your actual secure status based on your actual infrastructure and best practices. In addition, you will find features like Just in Time Access, to help protect admin access, assigning a temporary access to administrators and protecting those identities.
Azure Sentinel
Is the SIEM (Security Information and Event Management) solution from Microsoft, that uses Artificial Intelligence and Analytics to predict security threats, this can be integrated with your on-premises and cloud sources.
In terms of security, it is important to consider that the Azure admins are responsible for configuring the security that your organization needs. There are some service types that by default use some protection like encryption, but if you have special security requirement, you can achieve that by turning on a feature or by combining more than one option that will help protect your services or data. As a recommendation, you can check the Azure Advisor to look for recommendations that includes security settings base on your actual cloud infrastructure configuration. It is also is recommended to look for Security and Compliance documentation, you will find how the azure services are compliant with international security standards.
If you are interested in learning more about Implementing Azure Security, visit us at https://www.fastlaneus.com/microsoft-azure-training .
References:
https://azure.microsoft.com/en-us/services/security-center/
https://azure.microsoft.com/en-us/services/azure-sentinel/