Cloud security is pivotal for organizations to protect their business data, reduce data theft, and meet compliance requirements. To secure your data in the cloud, including Microsoft Azure, you need to consider the shared responsibility model, where the cloud provider handles some security tasks while the customer manages others. These tasks vary depending on whether the hosted workload is implemented using software as a service (SaaS), platform as a service (PaaS), or infrastructure as a service (IaaS).
The shared responsibility model is a cloud security framework that outlines cloud providers’ and customers' security obligations and responsibilities for ensuring accountability. In this arrangement, cloud providers are responsible for the security of the cloud, while customers handle the security in the cloud. For example, when customers run their workload on Azure Virtual Machines (VM), Microsoft secures the underlying compute services infrastructure, including the hypervisor, server hardware, and physical facilities. Customers are responsible for updating guest operating systems and applying security patches.
Simply put, cloud security is a shared responsibility between cloud providers and customers.
This article explains the shared responsibility model and provides examples of how customers should leverage the model to secure their data in Azure and Office 365. This article also recommends deployment best practices.
Division of Responsibilities
Figure 1: Microsoft Shared Responsibility Model (Source)
Compared to on-premises deployments, where customers are responsible for securing the whole stack, the SaaS, PaaS, and IaaS deployments transfer some responsibilities to Microsoft.
Responsibilities Under SaaS
In a SaaS deployment (e.g., Exchange Online, SharePoint Online, or Teams), Microsoft is responsible for securing the application, network control, operating system, physical hosts, physical networks, and physical data center. In contrast, customers are responsible for information and data classification, device security, and accounts and identities, e.g., password complexity and multi-factor authentication (MFA).
In addition, Microsoft and customers share identity and directory infrastructure responsibility. To illustrate, let’s take the example of MFA. Microsoft ensures that the MFA service is up and running, while customers are responsible for enabling users for MFA. As a result, healthy and responsive MFA policies applied to Azure Active Directory (AD) users will provide secure access to business applications and data.
Responsibilities under PaaS
In a PaaS deployment (e.g., Azure SQL or Web Apps), Microsoft handles the operating system's security, physical hosts, physical networks, and physical data center. Customers are responsible for information and data classification, device security, accounts, and identities. PaaS shared responsibilities include identity and directory infrastructure, applications, and network controls. For example, Azure SQL customers have granular control over identity security and access. Azure SQL customers can also configure allowed and restricted networks.
Responsibilities under IaaS
In an IaaS deployment (e.g., Azure VM), customers' security responsibilities increase to include seven of the ten responsibilities defined in the Microsoft Shared Responsibility Model. Microsoft is only responsible for securing physical hosts, networks, and the data center. Customers are responsible for securing the operating system, network control, applications, identity and directory infrastructure, accounts and identities, devices, and information and security.
Common responsibilities for all service types
In all SaaS, PaaS, and IaaS deployments, Microsoft is always responsible for securing the physical layer of the service. Namely, Microsoft handles the security of the physical hosts, networks, and data centers.
Similarly, in SaaS, PaaS, and IaaS deployments, customers are always responsible for securing the data and identities. In other words, customers ensure that information, data, devices, accounts, and identities are secure.
The table below summarizes the common Microsoft and customer responsibilities in SaaS, PaaS, and IaaS deployment models.
| Microsoft Responsibility | Customer Responsibility |
|---|---|
| Physical host | Information and data |
| Physical network | Devices (mobile and PCs) |
| Physical datacenter | Accounts and identities |
Table 1: Microsoft and customer responsibilities in SaaS, PaaS, and IaaS
Details of customer responsibilities
As explained above, customers are always responsible for securing their information, data, devices, accounts, and identities, regardless of the cloud deployment model used. This section outlines a few examples of how customers should leverage the shared responsibility model to secure their workloads in Azure and Office 365.
Information and data
Customers store sensitive, personal, and private information and data in Azure and Office 365. They are responsible for selecting the appropriate storage type and encryption method in Azure, applying data loss prevention (DLP) policies to protect sensitive data in Office 365, and implementing the required inbound and outbound access rules to secure network access.
For the most part, Microsoft is responsible for service availability and reliability, providing logs, and reporting.
The table below lists a few examples of Microsoft’s and customers’ responsibilities in securing information and data in the cloud.
| Area | Microsoft Responsibility | Customer Responsibility |
|---|---|---|
| Data Storage |
| For data encryption, use the default Microsoft encryption keys or your own. Figure 2 below shows the two options.
|
| Data Loss Protection |
|
|
| Network Access |
| Security rules in network security groups (NSGs) enable customers to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces. The default NSG inbound rules allow traffic to flow to all subnets in the virtual network. However, the rules block external traffic. Customers are required to configure inbound rules to meet their security requirements. For example, VMs hosting SQL servers should only talk to VMs hosting applications servers. VMs hosting websites should have inbound ports 80 and 443 from the internet. PaaS services (e.g., Azure SQL) support granular firewall configurations, including virtual network and firewall rules. Figures 3 and 4 show NSG and Azure SQL networking configuration options. |
Table 2: Microsoft and customer responsibilities in securing information and data in the cloud
Figure 2: Storage account encryption types
Figure 3: NSG inbound and outbound rules
Figure 4: Azure SQL networking options
Devices
Endpoint security is paramount to protecting customers' cloud environments, which makes Microsoft Intune a key pillar in the Microsoft cloud stack. With Intune, customers can assess compliance readiness and apply security updates on devices registered and joined via Azure AD. In addition, Azure AD conditional access ensures that only compliant and secure devices can connect to Azure and Office 365.
Implementing Intune, Azure AD conditional access, and device registration are all the responsibility of customers. Microsoft handles service availability and reliability, logs, and reporting.
The table below provides more details on Microsoft and customer responsibilities for securing devices in the cloud.
| Area | Microsoft Responsibility | Customer Responsibility |
|---|---|---|
| Device Access |
|
|
| Device and Data Protection |
|
|
Table 3: Microsoft and customer responsibilities in securing devices in the cloud
Figure 5: Intune device access requirements settings
FREE 15-MIN VIDEO: LEARN MODERN CLOUD GOVERNANCE BEST PRACTICES
Accounts and identities
Identity is the new security perimeter of the cloud. Azure AD is the Microsoft cloud-based directory service that manages authentication and authorization for Microsoft cloud services such as Office 365, Intune, and Dynamics 365.
Microsoft is responsible for providing reliable, robust, available, and scalable directory service for customers to securely access their cloud-hosted business applications. For example, Azure AD Connect (AADC) supports password hash synchronization, passthrough authentication, and federation. Azure AD MFA prompts users during the sign-in process for an additional form of identification, such as entering a verification code sent to their cell phone or a fingerprint scan. Azure AD Conditional Access takes this to the next level by granting or blocking access based on defined security criteria such as location or device compliance. Finally, Azure AD privileged identity management (PIM) provides just-in-time privilege access to Azure AD and resources that provide identity governance.
Azure AD customers are responsible for implementing a robust authentication mechanism, applying security policies, monitoring, and auditing sign-ins in their environment.
The table below lists a few examples of Microsoft’s and customers’ responsibilities in securing accounts and identities in the cloud.
| Area | Microsoft Responsibility | Customer Responsibility |
|---|---|---|
Identity protection
|
| Customers must monitor and take action if users' credentials are compromised, users sign in from risky locations, or their devices are infected. In addition, customers need to have security measures in place to safeguard access to cloud resources. For example, implement Azure AD Conditional Access and force users to change their passwords if their credentials have been leaked. Also, block access in the case of impossible travel to atypical locations.
Note: Leaked credential reporting requires password hash sync if Azure AD is integrated with Windows AD. Identity protection requires Azure AD Premium licenses. |
| Least privilege |
|
|
| Azure AD SSO |
|
|
Table 4: Microsoft and customer responsibilities in securing accounts and identities in the cloud
Figure 6: Azure AD Identity protection policies
Figure 7: Microsoft identity protection dashboard
Figure 8: Azure AD PIM configuration settings
Recommendations and best practices
The following are a few recommendations and best practices for taking care of the customer responsibilities in the shared responsibility model in Azure.
- Use appropriate storage types in Azure, and configure encryption, security, and network access options that suit your business.
- Apply DLP policies to sensitive data.
- Implement secure inbound and outbound rules and configure firewall policies for IaaS and PaaS services in Azure.
- Use Microsoft Intune for Mobile Device Management (MDM) and Mobile Application Management (MAM) solutions.
- Enable identity protection in Azure AD; monitor, assess, and alert the user about sign-in risks.
- Implement Azure AD PIM for just-in-time privilege access and identity governance.
- Implement Azure AD SSO, conditional access, and MFA.
- Use the Azure security center (now known as Defender for Cloud) to find and fix vulnerabilities, block malicious access, and alert you when your resources are under attack.
AI-powered Continuous Cloud Governance
Learn More
Platform | Provisioning Automation | Security Management | Cost Management | Regulatory Compliance | Powered by Artificial Intelligence | Native Hybrid Cloud Support |
|---|---|---|---|---|---|---|
Azure Native Tools | ✔ | ✔ | ✔ | |||
CoreStack | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
Conclusion
Understanding the shared responsibility model is vital for organizations hosting workloads in the cloud. The security features available in the cloud can provide greater security than on-premises as long as they are effectively utilized. Microsoft delivers robust and scalable security solutions in Azure and Office 365. Customers must assess and apply appropriate security measures to protect their information, data, devices, accounts, and identities.
