Contents

Azure Security Documentation

Architecture and design
Advanced threat detection
Azure logging and auditing
Azure network security
Azure serverless platform security
Container security in Azure
Enabling operational security
Isolation in the Azure cloud
Secure hybrid network architecture
Security technical capabilities
Develop secure apps on Azure
Data security and encryption
Database security
Best practices
Security checklist
Disk encryption
Best practices
Data encryption-at-rest
Disk encryption for IaaS VMs
About Azure Disk Encryption
Quickstarts
Encrypt VM - Azure PowerShell
Azure Disk Encryption
Disk encryption prerequisites
Disk encryption for Windows VMs
Disk encryption for Linux VMs
Appendix for disk encryption
Disk encryption FAQ
 Troubleshooting
Azure Disk Encryption with Azure AD app (previous release)
Disk encryption with Azure AD app prerequisites
Disk encryption with Azure AD app for Windows VMs
Disk encryption with Azure AD app for Linux VMs
Azure Storage security
Storage security guide
Platform and infrastructure
Infrastructure security
Physical security
Availability
Components and boundaries
Network architecture
Production network
SQL Database
Operations
Monitoring
Integrity
Data protection
Microsoft Antimalware
IaaS security
Best practices - IaaS workloads
Azure marketplace images
Identity management
Choose Azure AD authentication
Security checklist
Best practices
Enforce MFA on subscription administrators
Network security
Best practices
DDoS Protection
Boundary security
Application
PaaS
Azure App Service for PaaS
Azure Storage for PaaS
DB best practices for PaaS
IoT
IoT security best practices
IoT security
Secure your IoT deployment
Azure Service Fabric security
Best practices
Security checklist
Monitoring, auditing, and operations
Auditing and logging
Security management
Remote management security
Azure log integration
Introduction
Get started
Integrate Azure AD audit logs
Integrate Security Center alerts
Integrate logs from Key Vault
FAQ
Operational security
Best practices
Security checklist
Governance and compliance
AU PROTECTED
IaaS web application
PaaS web application
FedRAMP
Data analytics
 Data warehouse
IaaS web application
PaaS web application
FFIEC
Data analytics
Data warehouse
IaaS web application
PaaS web application
HIPAA/HITRUST
Health Data and AI
NIST SP 800-171
Data analytics
Data warehouse
IaaS web application
PaaS web application
PCI DSS
Data analytics
Data warehouse
IaaS web application
PaaS web application
TIC
Trusted Internet Connection with Azure
UK NHS
Data analytics
Data warehouse
IaaS web application
PaaS web application
UK OFFICIAL
IaaS web application
PaaS web application
White papers
Azure security services
Technical overviews
Best practices
Resources
Azure security MVP program
Cybersecurity consulting
Log a security event support ticket
Pen testing
Microsoft Threat Modeling tool
Getting started
Feature overview
Threats
Releases
Threat Modeling Tool GA release 7.1.5091.2 - 9/12/2018
Threat Modeling Tool update release 7.1.51023.1 - 11/1/2018
Threat Modeling Tool update release 7.1.60126.1 - 1/29/2019
Mitigations
Auditing and logging
Authentication
Authorization
Communication security
Configuration management
Cryptography
Exception management
Input validation
Sensitive data
Session management
Security is integrated into every aspect of Azure. Azure offers you unique security advantages derived from global security
intelligence, sophisticated customer-facing controls, and a secure hardened infrastructure. This powerful combination helps protect
your applications and data, support your compliance efforts, and provide cost-effective security for organizations of all sizes.

Learn about Azure security

I’m considering Azure for my company. What security does Azure have to offer?

How does Microsoft share security responsibilities with my organization?

How does Microsoft secure the Azure infrastructure?

Storage security overview

Network security overview

Data encryption overview

What monitoring and logging options are available in Azure?

How does Azure secure my data at rest?

How do I encrypt Azure virtual machines

White papers
Azure security response in the cloud
Azure advanced threat detection
Azure network security
Develop secure applications on Azure

Best practices
Security best practices for Azure
Network security
Data security
Virtual machine security
Identity and access
IaaS security
Secure PaaS deployments
Secure Azure Admin accounts
Checklists
Securing databases
Operational security
Service Fabric security

Compliance
FFIEC

HIPAA/HITRUST

PCI DSS

FEDRAMP

UK-OFFICIAL

Resources & Services

MSFT Trust Center

Azure security partners

Cybersecurity consulting

Pen testing

Azure Security Center

Azure Key Vault

Disk Encryption

Azure Information Protection

Multi-factor authentication (MFA)

 Introduction to Azure Security
2/7/2019 • 30 minutes to read • Edit Online

Overview
We know that security is job one in the cloud and how important it is that you find accurate and timely information
about Azure security. One of the best reasons to use Azure for your applications and services is to take advantage
of its wide array of security tools and capabilities. These tools and capabilities help make it possible to create
secure solutions on the secure Azure platform. Microsoft Azure provides confidentiality, integrity, and availability of
customer data, while also enabling transparent accountability.
To help you better understand the collection of security controls implemented within Microsoft Azure from both
the customer's and Microsoft operations' perspectives, this white paper, "Introduction to Azure Security", is written
to provide a comprehensive look at the security available with Microsoft Azure.
Azure Platform
Azure is a public cloud service platform that supports a broad selection of operating systems, programming
languages, frameworks, tools, databases, and devices. It can run Linux containers with Docker integration; build
apps with JavaScript, Python, .NET, PHP, Java, and Node.js; build back-ends for iOS, Android, and Windows
devices.
Azure public cloud services support the same technologies millions of developers and IT professionals already rely
on and trust. When you build on, or migrate IT assets to, a public cloud service provider you are relying on that
organization’s abilities to protect your applications and data with the services and the controls they provide to
manage the security of your cloud-based assets.
Azure’s infrastructure is designed from facility to applications for hosting millions of customers simultaneously,
and it provides a trustworthy foundation upon which businesses can meet their security requirements.
In addition, Azure provides you with a wide array of configurable security options and the ability to control them
so that you can customize security to meet the unique requirements of your organization’s deployments. This
document helps you understand how Azure security capabilities can help you fulfill these requirements.

NOTE
The primary focus of this document is on customer-facing controls that you can use to customize and increase security for
your applications and services.
We do provide some overview information, but for detailed information on how Microsoft secures the Azure platform itself,
see information provided in the Microsoft Trust Center.

Abstract
Initially, public cloud migrations were driven by cost savings and agility to innovate. Security was considered a
major concern for some time, and even a show stopper, for public cloud migration. However, public cloud security
has transitioned from a major concern to one of the drivers for cloud migration. The rationale behind this is the
superior ability of large public cloud service providers to protect applications and the data of cloud-based assets.
Azure’s infrastructure is designed from the facility to applications for hosting millions of customers simultaneously,
and it provides a trustworthy foundation upon which businesses can meet their security needs. In addition, Azure
provides you with a wide array of configurable security options and the ability to control them so that you can
customize security to meet the unique requirements of your deployments to meet your IT control policies and
adhere to external regulations.
This paper outlines Microsoft’s approach to security within the Microsoft Azure cloud platform:
Security features implemented by Microsoft to secure the Azure infrastructure, customer data, and applications.
Azure services and security features available to you to manage the Security of the Services and your data
within your Azure subscriptions.

Summary Azure Security Capabilities

The table following provide a brief description of the security features implemented by Microsoft to secure the
Azure infrastructure, customer data, and secure applications.
Security Features Implemented to Secure the Azure Platform:
The features listed following are capabilities you can review to provide the assurance that the Azure Platform is
managed in a secure manner. Links have been provided for further drill-down on how Microsoft addresses
customer trust questions in four areas: Secure Platform, Privacy & Controls, Compliance, and Transparency.

SECURE PLATFORM PRIVACY & CONTROLS COMPLIANCE TRANSPARENCY

Security Development Cycle, Manage your data all the Trust Center How Microsoft secures
Internal audits time customer data in Azure
services

Mandatory Security training, Control on data location Common Controls Hub How Microsoft manage data
background checks location in Azure services

Penetration testing, Provide data access on your The Cloud Services Due Who in Microsoft can access
intrusion detection, DDoS, terms Diligence Checklist your data on what terms
Audits & logging

State of the art data center, Responding to law Compliance by service, How Microsoft secures
physical security, Secure enforcement location & Industry customer data in Azure
Network services

Security Incident response, Stringent privacy standards Review certification for Azure
Shared Responsibility services, Transparency hub

Security Features Offered by Azure to Secure Data and Application

Depending on the cloud service model, there is variable responsibility for who is responsible for managing the
security of the application or service. There are capabilities available in the Azure Platform to assist you in meeting
these responsibilities through built-in features, and through partner solutions that can be deployed into an Azure
subscription.
The built-in capabilities are organized in six (6) functional areas: Operations, Applications, Storage, Networking,
Compute, and Identity. Additional detail on the features and capabilities available in the Azure Platform in these six
(6) areas are provided through summary information.

Operations
This section provides additional information regarding key features in security operations and summary
information about these capabilities.
Security and Audit Dashboard
The Security and Audit solution provides a comprehensive view into your organization’s IT security posture with
built-in search queries for notable issues that require your attention. The Security and Audit dashboard is the
home screen for everything related to security in Log Analytics. It provides high-level insight into the Security state
of your computers. It also includes the ability to view all events from the past 24 hours, 7 days, or any other custom
time frame.
In addition, you can configure Security & Compliance to automatically carry out specific actions when a specific
event is detected.
Azure Resource Manager
Azure Resource Manager enables you to work with the resources in your solution as a group. You can deploy,
update, or delete all the resources for your solution in a single, coordinated operation. You use an Azure Resource
Manager template for deployment and that template can work for different environments such as testing, staging,
and production. Resource Manager provides security, auditing, and tagging features to help you manage your
resources after deployment.
Azure Resource Manager template-based deployments help improve the security of solutions deployed in Azure
because standard security control settings and can be integrated into standardized template-based deployments.
This reduces the risk of security configuration errors that might take place during manual deployments.
Application Insights
Application Insights is an extensible Application Performance Management (APM ) service for web developers.
With Application Insights, you can monitor your live web applications and automatically detect performance
anomalies. It includes powerful analytics tools to help you diagnose issues and to understand what users actually
do with your apps. It monitors your application all the time it's running, both during testing and after you've
published or deployed it.
Application Insights creates charts and tables that show you, for example, what times of day you get most users,
how responsive the app is, and how well it is served by any external services that it depends on.
If there are crashes, failures or performance issues, you can search through the telemetry data in detail to diagnose
the cause. And the service sends you emails if there are any changes in the availability and performance of your
app. Application Insight thus becomes a valuable security tool because it helps with the availability in the
confidentiality, integrity, and availability security triad.
Azure Monitor
Azure Monitor offers visualization, query, routing, alerting, auto scale, and automation on data both from the
Azure infrastructure (Activity Log) and each individual Azure resource (Diagnostic Logs). You can use Azure
Monitor to alert you on security-related events that are generated in Azure logs.
Log Analytics
Log Analytics – Provides an IT management solution for both on-premises and third-party cloud-based
infrastructure (such as AWS ) in addition to Azure resources. Data from Azure Monitor can be routed directly to
Log Analytics so you can see metrics and logs for your entire environment in one place.
Log Analytics can be a useful tool in forensic and other security analysis, as the tool enables you to quickly search
through large amounts of security-related entries with a flexible query approach. In addition, on-premises firewall
and proxy logs can be exported into Azure and made available for analysis using Log Analytics.
Azure Advisor
Azure Advisor is a personalized cloud consultant that helps you to optimize your Azure deployments. It analyzes
your resource configuration and usage telemetry. It then recommends solutions to help improve the performance,
security, and high availability of your resources while looking for opportunities to reduce your overall Azure spend.
Azure Advisor provides security recommendations, which can significantly improve your overall security posture
for solutions you deploy in Azure. These recommendations are drawn from security analysis performed by Azure
Security Center.
Azure Security Center
Azure Security Center helps you prevent, detect, and respond to threats with increased visibility into and control
over the security of your Azure resources. It provides integrated security monitoring and policy management
across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad
ecosystem of security solutions.
In addition, Azure Security Center helps with security operations by providing you a single dashboard that surfaces
alerts and recommendations that can be acted upon immediately. Often, you can remediate issues with a single
click within the Azure Security Center console.

Applications
The section provides additional information regarding key features in application security and summary
information about these capabilities.
Web Application vulnerability scanning
One of the easiest ways to get started with testing for vulnerabilities on your App Service app is to use the
integration with Tinfoil Security to perform one-click vulnerability scanning on your app. You can view the test
results in an easy-to-understand report, and learn how to fix each vulnerability with step-by-step instructions.
Penetration Testing
If you prefer to perform your own penetration tests or want to use another scanner suite or provider, you must
follow the Azure penetration testing approval process and obtain prior approval to perform the desired
penetration tests.
Web Application firewall
The web application firewall (WAF ) in Azure Application Gateway helps protect web applications from common
web-based attacks like SQL injection, cross-site scripting attacks, and session hijacking. It comes preconfigured
with protection from threats identified by the Open Web Application Security Project (OWASP ) as the top 10
common vulnerabilities.
Authentication and authorization in Azure App Service
App Service Authentication / Authorization is a feature that provides a way for your application to sign in users so
that you don't have to change code on the app backend. It provides an easy way to protect your application and
work with per-user data.
Layered Security Architecture
Since App Service Environments provide an isolated runtime environment deployed into an Azure Virtual
Network, developers can create a layered security architecture providing differing levels of network access for each
application tier. A common desire is to hide API back-ends from general Internet access, and only allow APIs to be
called by upstream web apps. Network Security groups (NSGs) can be used on Azure Virtual Network subnets
containing App Service Environments to restrict public access to API applications.
Web server diagnostics and application diagnostics
App Service web apps provide diagnostic functionality for logging information from both the web server and the
web application. These are logically separated into web server diagnostics and application diagnostics. Web server
includes two major advances in diagnosing and troubleshooting sites and applications.
The first new feature is real-time state information about application pools, worker processes, sites, application
domains, and running requests. The second new advantages are the detailed trace events that track a request
throughout the complete request-and-response process.
To enable the collection of these trace events, IIS 7 can be configured to automatically capture full trace logs, in
XML format, for any particular request based on elapsed time or error response codes.
Web server diagnostics
You can enable or disable the following kinds of logs:
Detailed Error Logging - Detailed error information for HTTP status codes that indicate a failure (status
code 400 or greater). This may contain information that can help determine why the server returned the
error code.
Failed Request Tracing - Detailed information on failed requests, including a trace of the IIS components
used to process the request and the time taken in each component. This can be useful if you are attempting
to increase site performance or isolate what is causing a specific HTTP error to be returned.
Web Server Logging - Information about HTTP transactions using the W3C extended log file format. This is
useful when determining overall site metrics such as the number of requests handled or how many requests
are from a specific IP address.
Application diagnostics
Application diagnostics allows you to capture information produced by a web application. ASP.NET applications
can use the System.Diagnostics.Trace class to log information to the application diagnostics log. In Application
Diagnostics, there are two major types of events, those related to application performance and those related to
application failures and errors. The failures and errors can be divided further into connectivity, security, and failure
issues. Failure issues are typically related to a problem with the application code.
In Application Diagnostics, you can view events grouped in these ways:
All (displays all events)
Application Errors (displays exception events)
Performance (displays performance events)

Storage
The section provides additional information regarding key features in Azure storage security and summary
information about these capabilities.
Role -Based Access Control (RBAC )
You can secure your storage account with Role-Based Access Control (RBAC ). Restricting access based on the need
to know and least privilege security principles is imperative for organizations that want to enforce Security policies
for data access. These access rights are granted by assigning the appropriate RBAC role to groups and applications
at a certain scope. You can use built-in RBAC roles, such as Storage Account Contributor, to assign privileges to
users. Access to the storage keys for a storage account using the Azure Resource Manager model can be controlled
through Role-Based Access Control (RBAC ).
Shared Access Signature
A shared access signature (SAS ) provides delegated access to resources in your storage account. The SAS means
that you can grant a client limited permissions to objects in your storage account for a specified period and with a
specified set of permissions. You can grant these limited permissions without having to share your account access
keys.
Encryption in Transit
Encryption in transit is a mechanism of protecting data when it is transmitted across networks. With Azure Storage,
you can secure data using:
Transport-level encryption, such as HTTPS when you transfer data into or out of Azure Storage.
Wire encryption, such as SMB 3.0 encryption for Azure File shares.
Client-side encryption, to encrypt the data before it is transferred into storage and to decrypt the data after
it is transferred out of storage.
Encryption at rest
For many organizations, data encryption at rest is a mandatory step towards data privacy, compliance, and data
sovereignty. There are three Azure storage security features that provide encryption of data that is “at rest”:
Storage Service Encryption allows you to request that the storage service automatically encrypt data when
writing it to Azure Storage.
Client-side Encryption also provides the feature of encryption at rest.
Azure Disk Encryption allows you to encrypt the OS disks and data disks used by an IaaS virtual machine.
Storage Analytics
Azure Storage Analytics performs logging and provides metrics data for a storage account. You can use this data to
trace requests, analyze usage trends, and diagnose issues with your storage account. Storage Analytics logs
detailed information about successful and failed requests to a storage service. This information can be used to
monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort
basis. The following types of authenticated requests are logged:
Successful requests.
Failed requests, including timeout, throttling, network, authorization, and other errors.
Requests using a Shared Access Signature (SAS ), including failed and successful requests.
Requests to analytics data.
Enabling Browser-Based Clients Using CORS
Cross-Origin Resource Sharing (CORS ) is a mechanism that allows domains to give each other permission for
accessing each other’s resources. The User Agent sends extra headers to ensure that the JavaScript code loaded
from a certain domain is allowed to access resources located at another domain. The latter domain then replies
with extra headers allowing or denying the original domain access to its resources.
Azure storage services now support CORS so that once you set the CORS rules for the service, a properly
authenticated request made against the service from a different domain is evaluated to determine whether it is
allowed according to the rules you have specified.

Networking
The section provides additional information regarding key features in Azure network security and summary
information about these capabilities.
Network Layer Controls
Network access control is the act of limiting connectivity to and from specific devices or subnets and represents the
core of network security. The goal of network access control is to make sure that your virtual machines and
services are accessible to only users and devices to which you want them accessible.
Network Security Groups
A Network Security Group (NSG ) is a basic stateful packet filtering firewall and it enables you to control access
based on a 5-tuple. NSGs do not provide application layer inspection or authenticated access controls. They can be
used to control traffic moving between subnets within an Azure Virtual Network and traffic between an Azure
Virtual Network and the Internet.
Route Control and Forced Tunneling
The ability to control routing behavior on your Azure Virtual Networks is a critical network security and access
control capability. For example, if you want to make sure that all traffic to and from your Azure Virtual Network
goes through that virtual security appliance, you need to be able to control and customize routing behavior. You
can do this by configuring User-Defined Routes in Azure.
User-Defined Routes allow you to customize inbound and outbound paths for traffic moving into and out of
individual virtual machines or subnets to insure the most secure route possible. Forced tunneling is a mechanism
you can use to ensure that your services are not allowed to initiate a connection to devices on the Internet.
This is different from being able to accept incoming connections and then responding to them. Front-end web
servers need to respond to requests from Internet hosts, and so Internet-sourced traffic is allowed inbound to
these web servers and the web servers can respond.
Forced tunneling is commonly used to force outbound traffic to the Internet to go through on-premises security
proxies and firewalls.
Virtual Network Security Appliances
While Network Security Groups, User-Defined Routes, and forced tunneling provide you a level of security at the
network and transport layers of the OSI model, there may be times when you want to enable security at higher
levels of the stack. You can access these enhanced network security features by using an Azure partner network
security appliance solution. You can find the most current Azure partner network security solutions by visiting the
Azure Marketplace and searching for “security” and “network security.”
Azure Virtual Network
An Azure virtual network (VNet) is a representation of your own network in the cloud. It is a logical isolation of the
Azure network fabric dedicated to your subscription. You can fully control the IP address blocks, DNS settings,
security policies, and route tables within this network. You can segment your VNet into subnets and place Azure
IaaS virtual machines (VMs) and/or Cloud services (PaaS role instances) on Azure Virtual Networks.
Additionally, you can connect the virtual network to your on-premises network using one of the connectivity
options available in Azure. In essence, you can expand your network to Azure, with complete control on IP address
blocks with the benefit of enterprise scale Azure provides.
Azure networking supports various secure remote access scenarios. Some of these include:
Connect individual workstations to an Azure Virtual Network
Connect on-premises network to an Azure Virtual Network with a VPN
Connect on-premises network to an Azure Virtual Network with a dedicated WAN link
Connect Azure Virtual Networks to each other
VPN Gateway
To send network traffic between your Azure Virtual Network and your on-premises site, you must create a VPN
gateway for your Azure Virtual Network. A VPN gateway is a type of virtual network gateway that sends
encrypted traffic across a public connection. You can also use VPN gateways to send traffic between Azure Virtual
Networks over the Azure network fabric.
Express Route
Microsoft Azure ExpressRoute is a dedicated WAN link that lets you extend your on-premises networks into the
Microsoft cloud over a dedicated private connection facilitated by a connectivity provider.
With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure, Office 365,
and CRM Online. Connectivity can be from an any-to-any (IP VPN ) network, a point-to-point Ethernet network, or
a virtual cross-connection through a connectivity provider at a co-location facility.
ExpressRoute connections do not go over the public Internet and thus can be considered more secure than VPN -
based solutions. This allows ExpressRoute connections to offer more reliability, faster speeds, lower latencies, and
higher security than typical connections over the Internet.
Application Gateway
Microsoft Azure Application Gateway provides an Application Delivery Controller (ADC ) as a service, offering
various layer 7 load balancing capabilities for your application.

It allows you to optimize web farm productivity by offloading CPU intensive SSL termination to the Application
Gateway (also known as “SSL offload” or “SSL bridging”). It also provides other Layer 7 routing capabilities
including round-robin distribution of incoming traffic, cookie-based session affinity, URL path-based routing, and
the ability to host multiple websites behind a single Application Gateway. Azure Application Gateway is a layer-7
load balancer.
It provides failover, performance-routing HTTP requests between different servers, whether they are on the cloud
or on-premises.
Application provides many Application Delivery Controller (ADC ) features including HTTP load balancing, cookie-
based session affinity, Secure Sockets Layer (SSL ) offload, custom health probes, support for multi-site, and many
others.
Web Application Firewall
Web Application Firewall is a feature of Azure Application Gateway that provides protection to web applications
that use application gateway for standard Application Delivery Control (ADC ) functions. Web application firewall
does this by protecting them against most of the OWASP top 10 common web vulnerabilities.

SQL injection protection

Common Web Attacks Protection such as command injection, HTTP request smuggling, HTTP response
splitting, and remote file inclusion attack
Protection against HTTP protocol violations
Protection against HTTP protocol anomalies such as missing host user-agent and accept headers
Prevention against bots, crawlers, and scanners
Detection of common application misconfigurations (that is, Apache, IIS, etc.)
A centralized web application firewall to protect against web attacks makes security management much simpler
and gives better assurance to the application against the threats of intrusions. A WAF solution can also react to a
security threat faster by patching a known vulnerability at a central location versus securing each of individual web
applications. Existing application gateways can be converted to an application gateway with web application
firewall easily.
Traffic Manager
Microsoft Azure Traffic Manager allows you to control the distribution of user traffic for service endpoints in
different data centers. Service endpoints supported by Traffic Manager include Azure VMs, Web Apps, and Cloud
services. You can also use Traffic Manager with external, non-Azure endpoints. Traffic Manager uses the Domain
Name System (DNS ) to direct client requests to the most appropriate endpoint based on a traffic-routing method
and the health of the endpoints.
Traffic Manager provides a range of traffic-routing methods to suit different application needs, endpoint health
monitoring, and automatic failover. Traffic Manager is resilient to failure, including the failure of an entire Azure
region.
Azure Load Balancer
Azure Load Balancer delivers high availability and network performance to your applications. It is a Layer 4 (TCP,
UDP ) load balancer that distributes incoming traffic among healthy instances of services defined in a load-
balanced set. Azure Load Balancer can be configured to:
 Load balance incoming Internet traffic to virtual machines. This configuration is known as Internet-facing
load balancing.
Load balance traffic between virtual machines in a virtual network, between virtual machines in cloud
services, or between on-premises computers and virtual machines in a cross-premises virtual network. This
configuration is known as internal load balancing.
Forward external traffic to a specific virtual machine
Internal DNS
You can manage the list of DNS servers used in a VNet in the Management Portal, or in the network configuration
file. Customer can add up to 12 DNS servers for each VNet. When specifying DNS servers, it's important to verify
that you list customer’s DNS servers in the correct order for customer’s environment. DNS server lists do not
work round-robin. They are used in the order that they are specified. If the first DNS server on the list is able to be
reached, the client uses that DNS server regardless of whether the DNS server is functioning properly or not. To
change the DNS server order for customer’s virtual network, remove the DNS servers from the list and add them
back in the order that customer wants. DNS supports the availability aspect of the “CIA” security triad.
Azure DNS
The Domain Name System, or DNS, is responsible for translating (or resolving) a website or service name to its IP
address. Azure DNS is a hosting service for DNS domains, providing name resolution using Microsoft Azure
infrastructure. By hosting your domains in Azure, you can manage your DNS records using the same credentials,
APIs, tools, and billing as your other Azure services. DNS supports the availability aspect of the “CIA” security
triad.
Log Analytics NSGs
You can enable the following diagnostic log categories for NSGs:
Event: Contains entries for which NSG rules are applied to VMs and instance roles based on MAC address.
The status for these rules is collected every 60 seconds.
Rules counter: Contains entries for how many times each NSG rule is applied to deny or allow traffic.
Azure Security Center
Security Center helps you prevent, detect, and respond to threats, and provides you increased visibility into, and
control over, the Security of your Azure resources. It provides integrated Security monitoring and policy
management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works
with a broad ecosystem of Security solutions. Network recommendations center around firewalls, Network
Security Groups, configuring inbound traffic rules, and more.
Available network recommendations are as follows:
Add a Next Generation Firewall Recommends that you add a Next Generation Firewall (NGFW ) from a
Microsoft partner to increase your security protections
Route traffic through NGFW only Recommends that you configure network security group (NSG ) rules that
force inbound traffic to your VM through your NGFW.
Enable Network Security Groups on subnets or virtual machines Recommends that you enable NSGs on
subnets or VMs.
Restrict access through Internet facing endpoint Recommends that you configure inbound traffic rules for
NSGs.

Compute
The section provides additional information regarding key features in this area and summary information about
these capabilities.
Antimalware & Antivirus
With Azure IaaS, you can use antimalware software from security vendors such as Microsoft, Symantec, Trend
Micro, McAfee, and Kaspersky to protect your virtual machines from malicious files, adware, and other threats.
Microsoft Antimalware for Azure Cloud Services and Virtual Machines is a protection capability that helps identify
and remove viruses, spyware, and other malicious software. Microsoft Antimalware provides configurable alerts
when known malicious or unwanted software attempts to install itself or run on your Azure systems. Microsoft
Antimalware can also be deployed using Azure Security Center
Hardware Security Module
Encryption and authentication do not improve security unless the keys themselves are protected. You can simplify
the management and security of your critical secrets and keys by storing them in Azure Key Vault. Key Vault
provides the option to store your keys in hardware Security modules (HSMs) certified to FIPS 140-2 Level 2
standards. Your SQL Server encryption keys for backup or transparent data encryption can all be stored in Key
Vault with any keys or secrets from your applications. Permissions and access to these protected items are
managed through Azure Active Directory.
Virtual machine backup
Azure Backup is a solution that protects your application data with zero capital investment and minimal operating
costs. Application errors can corrupt your data, and human errors can introduce bugs into your applications that
can lead to security issues. With Azure Backup, your virtual machines running Windows and Linux are protected.
Azure Site Recovery
An important part of your organization's business continuity/disaster recovery (BCDR ) strategy is figuring out
how to keep corporate workloads and apps up and running when planned and unplanned outages occur. Azure
Site Recovery helps orchestrate replication, failover, and recovery of workloads and apps so that they are available
from a secondary location if your primary location goes down.
SQL VM TDE
Transparent data encryption (TDE ) and column level encryption (CLE ) are SQL server encryption features. This
form of encryption requires customers to manage and store the cryptographic keys you use for encryption.
The Azure Key Vault (AKV ) service is designed to improve the security and management of these keys in a secure
and highly available location. The SQL Server Connector enables SQL Server to use these keys from Azure Key
Vault.
If you are running SQL Server with on-premises machines, there are steps you can follow to access Azure Key
Vault from your on-premises SQL Server machine. But for SQL Server in Azure VMs, you can save time by using
the Azure Key Vault Integration feature. With a few Azure PowerShell cmdlets to enable this feature, you can
automate the configuration necessary for a SQL VM to access your key vault.
VM Disk Encryption
Azure Disk Encryption is a new capability that helps you encrypt your Windows and Linux IaaS virtual machine
disks. It applies the industry standard BitLocker feature of Windows and the DM -Crypt feature of Linux to provide
volume encryption for the OS and the data disks. The solution is integrated with Azure Key Vault to help you
control and manage the disk-encryption keys and secrets in your Key Vault subscription. The solution also ensures
that all data on the virtual machine disks are encrypted at rest in your Azure storage.
Virtual networking
Virtual machines need network connectivity. To support that requirement, Azure requires virtual machines to be
connected to an Azure Virtual Network. An Azure Virtual Network is a logical construct built on top of the physical
Azure network fabric. Each logical Azure Virtual Network is isolated from all other Azure Virtual Networks. This
isolation helps insure that network traffic in your deployments is not accessible to other Microsoft Azure
customers.
Patch Updates
Patch Updates provide the basis for finding and fixing potential problems and simplify the software update
management process, both by reducing the number of software updates you must deploy in your enterprise and
by increasing your ability to monitor compliance.
Security policy management and reporting
Azure Security Center helps you prevent, detect, and respond to threats, and provides you increased visibility into,
and control over, the security of your Azure resources. It provides integrated Security monitoring and policy
management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works
with a broad ecosystem of security solutions.
Azure Security Center
Security Center helps you prevent, detect, and respond to threats with increased visibility into and control over the
security of your Azure resources. It provides integrated security monitoring and policy management across your
Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of
security solutions.

Identity and access management

Securing systems, applications, and data begins with identity-based access controls. The identity and access
management features that are built into Microsoft business products and services help protect your organizational
and personal information from unauthorized access while making it available to legitimate users whenever and
wherever they need it.
Secure Identity
Microsoft uses multiple security practices and technologies across its products and services to manage identity and
access.
Multi-Factor Authentication requires users to use multiple methods for access, on-premises and in the
cloud. It provides strong authentication with a range of easy verification options, while accommodating
users with a simple sign-in process.
Microsoft Authenticator provides a user-friendly Multi-Factor Authentication experience that works with
both Microsoft Azure Active Directory and Microsoft accounts, and includes support for wearables and
fingerprint-based approvals.
Password policy enforcement increases the security of traditional passwords by imposing length and
complexity requirements, forced periodic rotation, and account lockout after failed authentication attempts.
Token-based authentication enables authentication via Azure Active Directory.
Role-based access control (RBAC ) enables you to grant access based on the user’s assigned role, making it
easy to give users only the amount of access they need to perform their job duties. You can customize RBAC
per your organization’s business model and risk tolerance.
Integrated identity management (hybrid identity) enables you to maintain control of users’ access across
internal datacenters and cloud platforms, creating a single user identity for authentication and authorization
to all resources.
Secure Apps and data
Azure Active Directory, a comprehensive identity and access management cloud solution, helps secure access to
data in applications on site and in the cloud, and simplifies the management of users and groups. It combines core
directory services, advanced identity governance, security, and application access management, and makes it easy
for developers to build policy-based identity management into their apps. To enhance your Azure Active Directory,
you can add paid capabilities using the Azure Active Directory Basic, Premium P1, and Premium P2 editions.

AZURE ACTIVE
DIRECTORY JOIN –
FREE / COMMON WINDOWS 10 ONLY
FEATURES BASIC FEATURES PREMIUM P1 FEATURES PREMIUM P2 FEATURES RELATED FEATURES

Directory Objects, Group-based access Self-Service Group Identity Protection, Join a device to Azure
User/Group management / and app Privileged Identity AD, Desktop SSO,
Management provisioning, Self- Management/Self- Management Microsoft Passport for
(add/update/delete)/ Service Password Service application Azure AD,
User-based Reset for cloud users, additions/Dynamic Administrator
provisioning, Device Company Branding Groups, Self-Service BitLocker recovery,
registration, Single (Logon Pages/Access Password MDM auto-
Sign-On (SSO), Self- Panel customization), Reset/Change/Unlock enrollment, Self-
Service Password Application Proxy, with on-premises Service BitLocker
Change for cloud SLA 99.9% write-back, Multi- recovery, Additional
users, Connect (Sync Factor Authentication local administrators to
engine that extends (Cloud and On- Windows 10 devices
on-premises premises (MFA via Azure AD Join
directories to Azure Server)), MIM CAL +
Active Directory), MIM Server, Cloud
Security / Usage App Discovery,
Reports Connect Health,
Automatic password
rollover for group
accounts

Cloud App Discovery is a premium feature of Azure Active Directory that enables you to identify cloud
applications that are used by the employees in your organization.
Azure Active Directory Identity Protection is a security service that uses Azure Active Directory anomaly
detection capabilities to provide a consolidated view into risk events and potential vulnerabilities that could
affect your organization’s identities.
Azure Active Directory Domain Services enables you to join Azure VMs to a domain without the need to
deploy domain controllers. Users sign in to these VMs by using their corporate Active Directory credentials,
and can seamlessly access resources.
Azure Active Directory B2C is a highly available, global identity management service for consumer-facing
apps that can scale to hundreds of millions of identities and integrate across mobile and web platforms.
Your customers can sign in to all your apps through customizable experiences that use existing social media
accounts, or you can create new standalone credentials.
Azure Active Directory B2B Collaboration is a secure partner integration solution that supports your cross-
company relationships by enabling partners to access your corporate applications and data selectively by
using their self-managed identities.
Azure Active Directory Join enables you to extend cloud capabilities to Windows 10 devices for centralized
management. It makes it possible for users to connect to the corporate or organizational cloud through
Azure Active Directory and simplifies access to apps and resources.
Azure Active Directory Application Proxy provides SSO and secure remote access for web applications
hosted on-premises.

Next Steps
Getting started with Microsoft Azure Security
Azure services and features you can use to help secure your services and data within Azure
Azure Security Center
Prevent, detect, and respond to threats with increased visibility and control over the security of your Azure
resources
Security health monitoring in Azure Security Center
The monitoring capabilities in Azure Security Center to monitor compliance with policies.
 Azure advanced threat detection
2/1/2019 • 21 minutes to read • Edit Online

Azure offers built in advanced threat detection functionality through services such as Azure Active Directory (Azure
AD ), Azure Log Analytics, and Azure Security Center. This collection of security services and capabilities provides a
simple and fast way to understand what is happening within your Azure deployments.
Azure provides a wide array of options to configure and customize security to meet the requirements of your app
deployments. This article discusses how to meet these requirements.

Azure Active Directory Identity Protection

Azure AD Identity Protection is an Azure Active Directory Premium P2 edition feature that provides an overview
of the risk events and potential vulnerabilities that can affect your organization’s identities. Identity Protection uses
existing Azure AD anomaly-detection capabilities that are available through Azure AD Anomalous Activity Reports,
and introduces new risk event types that can detect real time anomalies.

Identity Protection uses adaptive machine learning algorithms and heuristics to detect anomalies and risk events
that might indicate that an identity has been compromised. Using this data, Identity Protection generates reports
and alerts so that you can investigate these risk events and take appropriate remediation or mitigation action.
Azure Active Directory Identity Protection is more than a monitoring and reporting tool. Based on risk events,
Identity Protection calculates a user risk level for each user, so that you can configure risk-based policies to
automatically protect the identities of your organization.
These risk-based policies, in addition to other conditional access controls that are provided by Azure Active
Directory and EMS, can automatically block or offer adaptive remediation actions that include password resets and
multi-factor authentication enforcement.
Identity Protection capabilities
Azure Active Directory Identity Protection is more than a monitoring and reporting tool. To protect your
organization's identities, you can configure risk-based policies that automatically respond to detected issues when a
specified risk level has been reached. These policies, in addition to other conditional access controls provided by
Azure Active Directory and EMS, can either automatically block or initiate adaptive remediation actions including
password resets and multi-factor authentication enforcement.
Examples of some of the ways that Azure Identity Protection can help secure your accounts and identities include:
Detecting risk events and risky accounts
Detect six risk event types using machine learning and heuristic rules.
Calculate user risk levels.
Provide custom recommendations to improve overall security posture by highlighting vulnerabilities.
Investigating risk events
Send notifications for risk events.
Investigate risk events using relevant and contextual information.
Provide basic workflows to track investigations.
Provide easy access to remediation actions such as password reset.
Risk-based, conditional-access policies
Mitigate risky sign-ins by blocking sign-ins or requiring multi-factor authentication challenges.
Block or secure risky user accounts.
Require users to register for multi-factor authentication.
Azure AD Privileged Identity Management
With Azure Active Directory Privileged Identity Management (PIM ), you can manage, control, and monitor access
within your organization. This feature includes access to resources in Azure AD and other Microsoft online
services, such as Office 365 or Microsoft Intune.

PIM helps you:

Get alerts and reports about Azure AD administrators and just-in-time (JIT) administrative access to
Microsoft online services, such as Office 365 and Intune.
Get reports about administrator access history and changes in administrator assignments.
Get alerts about access to a privileged role.
Azure Log Analytics
Log Analytics is a Microsoft cloud-based IT management solution that helps you manage and protect your on-
premises and cloud infrastructure. Because Log Analytics is implemented as a cloud-based service, you can have it
up and running quickly with minimal investment in infrastructure services. New security features are delivered
automatically, saving ongoing maintenance and upgrade costs.
In addition to providing valuable services on its own, Log Analytics can integrate with System Center components,
such as System Center Operations Manager, to extend your existing security management investments into the
cloud. System Center and Log Analytics can work together to provide a full hybrid management experience.
Holistic security and compliance posture
The Log Analytics Security and Audit dashboard provides a comprehensive view into your organization’s IT
security posture, with built-in search queries for notable issues that require your attention. The Security and Audit
dashboard is the home screen for everything related to security in Log Analytics. It provides high-level insight into
the security state of your computers. You can also view all events from the past 24 hours, 7 days, or any other
custom timeframe.
Log Analytics help you quickly and easily understand the overall security posture of any environment, all within the
context of IT Operations, including software update assessment, antimalware assessment, and configuration
baselines. Security log data is readily accessible to streamline the security and compliance audit processes.

The Log Analytics Security and Audit dashboard is organized into four major categories:
Security Domains: Lets you further explore security records over time; access malware assessments;
update assessments; view network security, identity, and access information; view computers with security
events; and quickly access the Azure Security Center dashboard.
Notable Issues: Lets you quickly identify the number of active issues and the severity of the issues.
Detections (Preview): Lets you identify attack patterns by displaying security alerts as they occur against
your resources.
Threat Intelligence: Lets you identify attack patterns by displaying the total number of servers with
outbound malicious IP traffic, the malicious threat type, and a map of the IPs locations.
Common security queries: Lists the most common security queries that you can use to monitor your
environment. When you select any query, the Search pane opens and displays the results for that query.
Insight and analytics
At the center of Log Analytics is the repository, which is hosted by Azure.
You collect data into the repository from connected sources by configuring data sources and adding solutions to
your subscription.

Data sources and solutions each create separate record types with their own set of properties, but you can still
analyze them together in queries to the repository. You can use the same tools and methods to work with a variety
of data that's collected by various sources.
Most of your interaction with Log Analytics is through the Azure portal, which runs in any browser and provides
you with access to configuration settings and multiple tools to analyze and act on collected data. From the portal,
you can use:
Log searches where you construct queries to analyze collected data.
Dashboards, which you can customize with graphical views of your most valuable searches.
Solutions, which provide additional functionality and analysis tools.
Solutions add functionality to Log Analytics. They primarily run in the cloud and provide analysis of data that's
collected in the Log Analytics repository. Solutions might also define new record types to be collected that can be
analyzed with log searches or by using an additional user interface that the solution provides in the Log Analytics
dashboard.
The Security and Audit dashboard is an example of these types of solutions.
Automation and control: Alert on security configuration drifts
Azure Automation automates administrative processes with runbooks that are based on PowerShell and run in the
cloud. Runbooks can also be executed on a server in your local data center to manage local resources. Azure
Automation provides configuration management with PowerShell Desired State Configuration (DSC ).

You can create and manage DSC resources that are hosted in Azure and apply them to cloud and on-premises
systems. By doing so, you can define and automatically enforce their configuration or get reports on drift to help
ensure that security configurations remain within policy.
Azure Security Center
Azure Security Center helps protect your Azure resources. It provides integrated security monitoring and policy
management across your Azure subscriptions. Within the service, you can define polices against both your Azure
subscriptions and resource groups for greater granularity.

Microsoft security researchers are constantly on the lookout for threats. They have access to an expansive set of
telemetry gained from Microsoft’s global presence in the cloud and on-premises. This wide-reaching and diverse
collection of datasets enables Microsoft to discover new attack patterns and trends across its on-premises
consumer and enterprise products, as well as its online services.
Thus, Security Center can rapidly update its detection algorithms as attackers release new and increasingly
sophisticated exploits. This approach helps you keep pace with a fast-moving threat environment.
Security Center threat detection works by automatically collecting security information from your Azure resources,
the network, and connected partner solutions. It analyzes this information, correlating information from multiple
sources, to identify threats.
Security alerts are prioritized in Security Center along with recommendations on how to remediate the threat.
Security Center employs advanced security analytics, which go far beyond signature-based approaches.
Breakthroughs in big data and machine learning technologies are used to evaluate events across the entire cloud
fabric. Advanced analytics can detect threats that would be impossible to identify through manual approaches and
predicting the evolution of attacks. These security analytics types are covered in the next sections.
Threat intelligence
Microsoft has access to an immense amount of global threat intelligence.
Telemetry flows in from multiple sources, such as Azure, Office 365, Microsoft CRM online, Microsoft Dynamics
AX, outlook.com, MSN.com, the Microsoft Digital Crimes Unit (DCU ), and Microsoft Security Response Center
(MSRC ).

Researchers also receive threat intelligence information that is shared among major cloud service providers, and
they subscribe to threat intelligence feeds from third parties. Azure Security Center can use this information to
alert you to threats from known bad actors. Some examples include:
Harnessing the power of machine learning: Azure Security Center has access to a vast amount of data
about cloud network activity, which can be used to detect threats targeting your Azure deployments.
Brute force detection: Machine learning is used to create a historical pattern of remote access attempts,
which allows it to detect brute force attacks against Secure Shell (SSH), Remote Desktop Protocol (RDP ),
and SQL ports.
 Outbound DDoS and botnet detection: A common objective of attacks that target cloud resources is to
use the compute power of these resources to execute other attacks.
New behavioral analytics servers and VMs: After a server or virtual machine is compromised, attackers
employ a wide variety of techniques to execute malicious code on that system while avoiding detection,
ensuring persistence, and obviating security controls.
Azure SQL Database Threat Detection: Threat detection for Azure SQL Database, which identifies
anomalous database activities that indicate unusual and potentially harmful attempts to access or exploit
databases.
Behavioral analytics
Behavioral analytics is a technique that analyzes and compares data to a collection of known patterns. However,
these patterns are not simple signatures. They are determined through complex machine learning algorithms that
are applied to massive datasets.

The patterns are also determined through careful analysis of malicious behaviors by expert analysts. Azure
Security Center can use behavioral analytics to identify compromised resources based on analysis of virtual
machine logs, virtual network device logs, fabric logs, crash dumps, and other sources.
In addition, patterns are correlated with other signals to check for supporting evidence of a widespread campaign.
This correlation helps to identify events that are consistent with established indicators of compromise.
Some examples include:
Suspicious process execution: Attackers employ several techniques to execute malicious software without
detection. For example, an attacker might give malware the same names as legitimate system files but place
these files in an alternate location, use a name that is similar to that of a benign file, or mask the file’s true
extension. Security Center models process behaviors and monitor process executions to detect outliers such
as these.
Hidden malware and exploitation attempts: Sophisticated malware can evade traditional antimalware
products by either never writing to disk or encrypting software components stored on disk. However, such
malware can be detected by using memory analysis, because the malware must leave traces in memory to
function. When software crashes, a crash dump captures a portion of memory at the time of the crash. By
analyzing the memory in the crash dump, Azure Security Center can detect techniques used to exploit
 vulnerabilities in software, access confidential data, and surreptitiously persist within a compromised
machine without affecting the performance of your machine.
Lateral movement and internal reconnaissance: To persist in a compromised network and locate and
harvest valuable data, attackers often attempt to move laterally from the compromised machine to others
within the same network. Security Center monitors process and login activities to discover attempts to
expand an attacker’s foothold within the network, such as remote command execution, network probing,
and account enumeration.
Malicious PowerShell scripts: PowerShell can be used by attackers to execute malicious code on target
virtual machines for various purposes. Security Center inspects PowerShell activity for evidence of
suspicious activity.
Outgoing attacks: Attackers often target cloud resources with the goal of using those resources to mount
additional attacks. Compromised virtual machines, for example, might be used to launch brute force attacks
against other virtual machines, send spam, or scan open ports and other devices on the internet. By
applying machine learning to network traffic, Security Center can detect when outbound network
communications exceed the norm. When spam is detected, Security Center also correlates unusual email
traffic with intelligence from Office 365 to determine whether the mail is likely nefarious or the result of a
legitimate email campaign.
Anomaly detection
Azure Security Center also uses anomaly detection to identify threats. In contrast to behavioral analytics (which
depends on known patterns derived from large data sets), anomaly detection is more “personalized” and focuses
on baselines that are specific to your deployments. Machine learning is applied to determine normal activity for
your deployments, and then rules are generated to define outlier conditions that could represent a security event.
Here’s an example:
Inbound RDP/SSH brute force attacks: Your deployments might have busy virtual machines with many
logins each day and other virtual machines that have few, if any, logins. Azure Security Center can determine
baseline login activity for these virtual machines and use machine learning to define around the normal login
activities. If there is any discrepancy with the baseline defined for login related characteristics, an alert might be
generated. Again, machine learning determines what is significant.
Continuous threat intelligence monitoring
Azure Security Center operates with security research and data science teams throughout the world that
continuously monitor for changes in the threat landscape. This includes the following initiatives:
Threat intelligence monitoring: Threat intelligence includes mechanisms, indicators, implications, and
actionable advice about existing or emerging threats. This information is shared in the security community,
and Microsoft continuously monitors threat intelligence feeds from internal and external sources.
Signal sharing: Insights from security teams across the broad Microsoft portfolio of cloud and on-
premises services, servers, and client endpoint devices are shared and analyzed.
Microsoft security specialists: Ongoing engagement with teams across Microsoft that work in specialized
security fields, such as forensics and web attack detection.
Detection tuning: Algorithms are run against real customer data sets, and security researchers work with
customers to validate the results. True and false positives are used to refine machine learning algorithms.
These combined efforts culminate in new and improved detections, which you can benefit from instantly. There’s
no action for you to take.

Advanced threat detection features: Other Azure services

Virtual machines: Microsoft antimalware
Microsoft antimalware for Azure is a single-agent solution for applications and tenant environments, designed to
run in the background without human intervention. You can deploy protection based on the needs of your
application workloads, with either basic secure-by-default or advanced custom configuration, including
antimalware monitoring. Azure antimalware is a security option for Azure virtual machines that's automatically
installed on all Azure PaaS virtual machines.
Microsoft antimalware core features
Here are the features of Azure that deploy and enable Microsoft antimalware for your applications:
Real-time protection: Monitors activity in cloud services and on virtual machines to detect and block
malware execution.
Scheduled scanning: Periodically performs targeted scanning to detect malware, including actively
running programs.
Malware remediation: Automatically acts on detected malware, such as deleting or quarantining malicious
files and cleaning up malicious registry entries.
Signature updates: Automatically installs the latest protection signatures (virus definitions) to ensure that
protection is up to date on a pre-determined frequency.
Antimalware Engine updates: Automatically updates the Microsoft Antimalware Engine.
Antimalware platform updates: Automatically updates the Microsoft antimalware platform.
Active protection: Reports telemetry metadata about detected threats and suspicious resources to
Microsoft Azure to ensure rapid response to the evolving threat landscape, enabling real-time synchronous
signature delivery through the Microsoft active protection system.
Samples reporting: Provides and reports samples to the Microsoft antimalware service to help refine the
service and enable troubleshooting.
Exclusions: Allows application and service administrators to configure certain files, processes, and drives
for exclusion from protection and scanning for performance and other reasons.
Antimalware event collection: Records the antimalware service health, suspicious activities, and
remediation actions taken in the operating system event log and collects them into the customer’s Azure
storage account.
Azure SQL Database Threat Detection
Azure SQL Database Threat Detection is a new security intelligence feature built into the Azure SQL Database
service. Working around the clock to learn, profile, and detect anomalous database activities, Azure SQL Database
Threat Detection identifies potential threats to the database.
Security officers or other designated administrators can get an immediate notification about suspicious database
activities as they occur. Each notification provides details of the suspicious activity and recommends how to further
investigate and mitigate the threat.
Currently, Azure SQL Database Threat Detection detects potential vulnerabilities and SQL injection attacks, and
anomalous database access patterns.
Upon receiving a threat-detection email notification, users are able to navigate and view the relevant audit records
through a deep link in the mail. The link opens an audit viewer or a preconfigured auditing Excel template that
shows the relevant audit records around the time of the suspicious event, according to the following:
Audit storage for the database/server with the anomalous database activities.
Relevant audit storage table that was used at the time of the event to write the audit log.
 Audit records of the hour immediately following the event occurrence.
Audit records with a similar event ID at the time of the event (optional for some detectors).
SQL Database threat detectors use one of the following detection methodologies:
Deterministic detection: Detects suspicious patterns (rules based) in the SQL client queries that match
known attacks. This methodology has high detection and low false positive, but limited coverage because it
falls within the category of “atomic detections.”
Behavioral detection: Detects anomalous activity, which is abnormal behavior in the database that was not
seen during the most recent 30 days. Examples of SQL client anomalous activity can be a spike of failed
logins or queries, a high volume of data being extracted, unusual canonical queries, or unfamiliar IP
addresses used to access the database.
Application Gateway Web Application Firewall
Web Application Firewall (WAF ) is a feature of Azure Application Gateway that provides protection to web
applications that use an application gateway for standard application delivery control functions. Web Application
Firewall does this by protecting them against most of the Open Web Application Security Project (OWASP ) top 10
common web vulnerabilities.

Protections include:
SQL injection protection.
Cross site scripting protection.
Common Web Attacks Protection, such as command injection, HTTP request smuggling, HTTP response
splitting, and remote file inclusion attack.
Protection against HTTP protocol violations.
Protection against HTTP protocol anomalies, such as missing host user-agent and accept headers.
Prevention against bots, crawlers, and scanners.
Detection of common application misconfigurations (that is, Apache, IIS, and so on).
Configuring WAF at your application gateway provides the following benefits:
Protects your web application from web vulnerabilities and attacks without modification of the back-end
code.
Protects multiple web applications at the same time behind an application gateway. An application gateway
supports hosting up to 20 websites.
Monitors web applications against attacks by using real-time reports that are generated by application
gateway WAF logs.
Helps meet compliance requirements. Certain compliance controls require all internet-facing endpoints to
be protected by a WAF solution.
Anomaly Detection API: Built with Azure Machine Learning
The Anomaly Detection API is an API that's useful for detecting a variety of anomalous patterns in your time series
data. The API assigns an anomaly score to each data point in the time series, which can be used for generating
alerts, monitoring through dashboards, or connecting with your ticketing systems.
The Anomaly Detection API can detect the following types of anomalies on time series data:
Spikes and dips: When you're monitoring the number of login failures to a service or number of checkouts
in an e-commerce site, unusual spikes or dips could indicate security attacks or service disruptions.
Positive and negative trends: When you're monitoring memory usage in computing, shrinking free
memory size indicates a potential memory leak. For service queue length monitoring, a persistent upward
trend might indicate an underlying software issue.
Level changes and changes in dynamic range of values: Level changes in latencies of a service after a
service upgrade or lower levels of exceptions after upgrade can be interesting to monitor.
The machine learning-based API enables:
Flexible and robust detection: The anomaly detection models allow users to configure sensitivity settings
and detect anomalies among seasonal and non-seasonal data sets. Users can adjust the anomaly detection
model to make the detection API less or more sensitive according to their needs. This would mean detecting
the less or more visible anomalies in data with and without seasonal patterns.
Scalable and timely detection: The traditional way of monitoring with present thresholds set by experts'
domain knowledge are costly and not scalable to millions of dynamically changing data sets. The anomaly
detection models in this API are learned, and models are tuned automatically from both historical and real-
time data.
Proactive and actionable detection: Slow trend and level change detection can be applied for early
anomaly detection. The early abnormal signals that are detected can be used to direct humans to investigate
and act on the problem areas. In addition, root cause analysis models and alerting tools can be developed
on top of this anomaly-detection API service.
The anomaly-detection API is an effective and efficient solution for a wide range of scenarios, such as service
health and KPI monitoring, IoT, performance monitoring, and network traffic monitoring. Here are some popular
scenarios where this API can be useful:
IT departments need tools to track events, error code, usage log, and performance (CPU, memory, and so
on) in a timely manner.
Online commerce sites want to track customer activities, page views, clicks, and so on.
Utility companies want to track consumption of water, gas, electricity, and other resources.
 Facility or building management services want to monitor temperature, moisture, traffic, and so on.
IoT/manufacturers want to use sensor data in time series to monitor work flow, quality, and so on.
Service providers, such as call centers, need to monitor service demand trend, incident volume, wait queue
length, and so on.
Business analytics groups want to monitor business KPIs' (such as sales volume, customer sentiments, or
pricing) abnormal movement in real time.
Cloud App Security
Cloud App Security is a critical component of the Microsoft Cloud Security stack. It's a comprehensive solution
that can help your organization as you move to take full advantage of the promise of cloud applications. It keeps
you in control, through improved visibility into activity. It also helps increase the protection of critical data across
cloud applications.
With tools that help uncover shadow IT, assess risk, enforce policies, investigate activities, and stop threats, your
organization can more safely move to the cloud while maintaining control of critical data.

Discover Uncover shadow IT with Cloud App Security. Gain visibility by

discovering apps, activities, users, data, and files in your cloud
environment. Discover third-party apps that are connected to
your cloud.

Investigate Investigate your cloud apps by using cloud forensics tools to

deep-dive into risky apps, specific users, and files in your
network. Find patterns in the data collected from your cloud.
Generate reports to monitor your cloud.

Control Mitigate risk by setting policies and alerts to achieve

maximum control over network cloud traffic. Use Cloud App
Security to migrate your users to safe, sanctioned cloud app
alternatives.

Protect Use Cloud App Security to sanction or prohibit applications,

enforce data loss prevention, control permissions and sharing,
and generate custom reports and alerts.

Control Mitigate risk by setting policies and alerts to achieve

maximum control over network cloud traffic. Use Cloud App
Security to migrate your users to safe, sanctioned cloud app
alternatives.
Cloud App Security integrates visibility with your cloud by:
Using Cloud Discovery to map and identify your cloud environment and the cloud apps your organization is
using.
Sanctioning and prohibiting apps in your cloud.
Using easy-to-deploy app connectors that take advantage of provider APIs, for visibility and governance of
apps that you connect to.
Helping you have continuous control by setting, and then continually fine-tuning, policies.
On collecting data from these sources, Cloud App Security runs sophisticated analysis on it. It immediately alerts
you to anomalous activities, and gives you deep visibility into your cloud environment. You can configure a policy
in Cloud App Security and use it to protect everything in your cloud environment.

Third-party Advanced Threat Detection capabilities through the Azure

Marketplace
Web Application Firewall
Web Application Firewall inspects inbound web traffic and blocks SQL injections, cross-site scripting, malware
uploads, application DDoS attacks, and other attacks targeted at your web applications. It also inspects the
responses from the back-end web servers for data loss prevention (DLP ). The integrated access control engine
enables administrators to create granular access control policies for authentication, authorization, and accounting
(AAA), which gives organizations strong authentication and user control.
Web Application Firewall provides the following benefits:
Detects and blocks SQL injections, Cross-Site Scripting, malware uploads, application DDoS, or any other
 attacks against your application.
Authentication and access control.
Scans outbound traffic to detect sensitive data and can mask or block the information from being leaked
out.
Accelerates the delivery of web application contents, using capabilities such as caching, compression, and
other traffic optimizations.
For examples of web application firewalls that are available in the Azure Marketplace, see Barracuda WAF, Brocade
virtual web application firewall (vWAF ), Imperva SecureSphere, and the ThreatSTOP IP firewall.

Next steps
Azure Security Center detection capabilities: Helps identify active threats that target your Azure resources
and provides the insights you need to respond quickly.
Azure SQL Database Threat Detection: Helps address your concerns about potential threats to your
databases.
 Azure logging and auditing
2/4/2019 • 20 minutes to read • Edit Online

Azure provides a wide array of configurable security auditing and logging options to help you identify gaps in your
security policies and mechanisms. This article discusses generating, collecting, and analyzing security logs from
services hosted on Azure.

NOTE
Certain recommendations in this article might result in increased data, network, or compute resource usage, and increase
your license or subscription costs.

Types of logs in Azure

Cloud applications are complex, with many moving parts. Logs provide data to help keep your applications up and
running. Logs help you troubleshoot past problems or prevent potential ones. And they can help improve
application performance or maintainability, or automate actions that would otherwise require manual intervention.
Azure logs are categorized into the following types:
Control/management logs provide information about Azure Resource Manager CREATE, UPDATE, and
DELETE operations. For more information, see Azure activity logs.
Data plane logs provide information about events raised as part Azure resource usage. Examples of this
type of log are the Windows event system, security, and application logs in a virtual machine (VM ) and the
diagnostics logs that are configured through Azure Monitor.
Processed events provide information about analyzed events/alerts that have been processed on your
behalf. Examples of this type are Azure Security Center alerts where Azure Security Center has processed
and analyzed your subscription and provides concise security alerts.
The following table lists the most important types of logs available in Azure:

LOG CATEGORY LOG TYPE USAGE INTEGRATION

Activity logs Control-plane events on Provides insight into the Rest API, Azure Monitor
Azure Resource Manager operations that were
resources performed on resources in
your subscription.

Azure diagnostics logs Frequent data about the Provides insight into Azure Monitor, Stream
operation of Azure Resource operations that your
Manager resources in resource itself performed.
subscription

Azure AD reporting Logs and reports Reports user sign-in Graph API
activities and system activity
information about users and
group management.
 LOG CATEGORY LOG TYPE USAGE INTEGRATION

Virtual machines and cloud Windows Event Log service Captures system data and Windows (using Windows
services and Linux Syslog logging data on the virtual Azure Diagnostics [WAD]
machines and transfers that storage) and Linux in Azure
data into a storage account Monitor
of your choice.

Azure Storage Analytics Storage logging, provides Provides insight into trace REST API or the client library
metrics data for a storage requests, analyzes usage
account trends, and diagnoses issues
with your storage account.

Network Security Group JSON format, shows Displays information about Azure Network Watcher
(NSG) flow logs outbound and inbound ingress and egress IP traffic
flows on a per-rule basis through a Network Security
Group.

Application insight Logs, exceptions, and Provides an application REST API, Power BI
custom diagnostics performance monitoring
(APM) service for web
developers on multiple
platforms.

Process data / security alerts Azure Security Center alerts, Provides security REST APIs, JSON
Azure Log Analytics alerts information and alerts.

Activity logs
Azure activity logs provide insight into the operations that were performed on resources in your subscription.
Activity logs were previously known as “audit logs” or “operational logs,” because they report control-plane events
for your subscriptions.
Activity logs help you determine the “what, who, and when” for write operations (that is, PUT, POST, or DELETE ).
Activity logs also help you understand the status of the operation and other relevant properties. Activity logs do
not include read (GET) operations.
In this article, PUT, POST, and DELETE refer to all the write operations that an activity log contains on the
resources. For example, you can use the activity logs to find an error when you're troubleshooting issues or to
monitor how a user in your organization modified a resource.
You can retrieve events from an activity log by using the Azure portal, Azure CLI, PowerShell cmdlets, and Azure
Monitor REST API. Activity logs have 90-day data-retention period.
Integration scenarios for an activity log event:
Create an email or webhook alert that's triggered by an activity log event.
Stream it to an event hub for ingestion by a third-party service or custom analytics solution such as
PowerBI.
Analyze it in PowerBI by using the PowerBI content pack.
Save it to a storage account for archival or manual inspection. You can specify the retention time (in days) by
using log profiles.
Query and view it in the Azure portal.
Query it via PowerShell cmdlet, Azure CLI, or REST API.
Export the activity log with log profiles to Log Analytics.
You can use a storage account or event hub namespace that is not in the same subscription as the one that's
emitting the log. Whoever configures the setting must have the appropriate role-based access control (RBAC )
access to both subscriptions.
Azure diagnostics logs
Azure diagnostics logs are emitted by a resource that provides rich, frequent data about the operation of that
resource. The content of these logs varies by resource type. For example, Windows event system logs are a
category of diagnostics logs for VMs, and blob, table, and queue logs are categories of diagnostics logs for storage
accounts. Diagnostics logs differ from activity logs, which provide insight into the operations that were performed
on resources in your subscription.
Azure diagnostics logs offer multiple configuration options, such as the Azure portal, PowerShell, Azure CLI, and
the REST API.
Integration scenarios
Save them to a storage account for auditing or manual inspection. You can specify the retention time (in
days) by using the diagnostics settings.
Stream them to event hubs for ingestion by a third-party service or custom analytics solution, such as
PowerBI.
Analyze them with Log Analytics.
Supported services, schema for diagnostics logs and supported log categories per resource type

SCHEMA AND
SERVICE DOCUMENTATION RESOURCE TYPE CATEGORY

Azure Load Balancer Log Analytics for Load Microsoft.Network/loadBalan LoadBalancerAlertEvent

Balancer (Preview) cers LoadBalancerProbeHealthSta
Microsoft.Network/loadBalan tus
cers

Network Security Groups Log Analytics for Network Microsoft.Network/networks NetworkSecurityGroupEvent

Security Groups ecuritygroups NetworkSecurityGroupRuleC
Microsoft.Network/networks ounter
ecuritygroups

Azure Application Gateway Diagnostics logging for Microsoft.Network/applicatio ApplicationGatewayAccessLo

Application Gateway nGateways g
Microsoft.Network/applicatio ApplicationGatewayPerforma
nGateways nceLog
Microsoft.Network/applicatio ApplicationGatewayFirewallL
nGateways og

Azure Key Vault Key Vault logs Microsoft.KeyVault/vaults AuditEvent

 SCHEMA AND
SERVICE DOCUMENTATION RESOURCE TYPE CATEGORY

Azure Search Enabling and using Search Microsoft.Search/searchServi OperationLogs

Traffic Analytics ces

Azure Data Lake Store Access diagnostics logs for Microsoft.DataLakeStore/acc Audit
Data Lake Store ounts Requests
Microsoft.DataLakeStore/acc
ounts

Azure Data Lake Analytics Access diagnostics logs for Microsoft.DataLakeAnalytics/ Audit
Data Lake Analytics accounts Requests
Microsoft.DataLakeAnalytics/
accounts

Azure Logic Apps Logic Apps B2B custom Microsoft.Logic/workflows WorkflowRuntime

tracking schema Microsoft.Logic/integrationA IntegrationAccountTrackingE
ccounts vents

Azure Batch Azure Batch diagnostics logs Microsoft.Batch/batchAccou ServiceLog

nts

Azure Automation Log Analytics for Azure Microsoft.Automation/auto JobLogs

Automation mationAccounts JobStreams
Microsoft.Automation/auto
mationAccounts

Azure Event Hubs Event Hubs diagnostics logs Microsoft.EventHub/namesp ArchiveLogs

aces OperationalLogs
Microsoft.EventHub/namesp
aces

Azure Stream Analytics Job diagnostics logs Microsoft.StreamAnalytics/st Execution

reamingjobs Authoring
Microsoft.StreamAnalytics/st
reamingjobs

Azure Service Bus Service Bus diagnostics logs Microsoft.ServiceBus/names OperationalLogs

paces

Azure Active Directory reporting

Azure Active Directory (Azure AD ) includes security, activity, and audit reports for a user's directory. The Azure AD
audit report helps you identify privileged actions that occurred in the user's Azure AD instance. Privileged actions
include elevation changes (for example, role creation or password resets), changing policy configurations (for
example, password policies), or changes to the directory configuration (for example, changes to domain federation
settings).
The reports provide the audit record for the event name, the user who performed the action, the target resource
affected by the change, and the date and time (in UTC ). Users can retrieve the list of audit events for Azure AD via
the Azure portal, as described in View your audit logs.
The included reports are listed in the following table:

SECURITY REPORTS ACTIVITY REPORTS AUDIT REPORTS

Sign-ins from unknown sources Application usage: summary Directory audit report
 SECURITY REPORTS ACTIVITY REPORTS AUDIT REPORTS

Sign-ins after multiple failures Application usage: detailed

Sign-ins from multiple geographies Application dashboard

Sign-ins from IP addresses with Account provisioning errors

suspicious activity

Irregular sign-in activity Individual user devices

Sign-ins from possibly infected devices Individual user activity

Users with anomalous sign-in activity Groups activity report

Password reset registration activity

report

Password reset activity

The data in these reports can be useful to your applications, such as Security Information and Event Management
(SIEM ) systems, audit, and business intelligence tools. The Azure AD reporting APIs provide programmatic access
to the data through a set of REST-based APIs. You can call these APIs from various programming languages and
tools.
Events in the Azure AD audit report are retained for 180 days.

NOTE
For more information about report retention, see Azure AD report retention policies.

If you're interested in retaining your audit events longer, use the Reporting API to regularly pullaudit events into a
separate data store.
Virtual machine logs that use Azure Diagnostics
Azure Diagnostics is the capability within Azure that enables the collection of diagnostics data on a deployed
application. You can use the diagnostics extension from any of several sources. Currently supported are Azure
cloud service web and worker roles.
Azure virtual machines that are running Microsoft Windows and Service Fabric
You can enable Azure Diagnostics on a virtual machine by doing any of the following:
Use Visual Studio to trace Azure virtual machines
Set up Azure Diagnostics remotely on an Azure virtual machine
Use PowerShell to set up diagnostics on Azure virtual machines
Create a Windows virtual machine with monitoring and diagnostics by using an Azure Resource Manager
template
Storage Analytics
Azure Storage Analytics logs and provides metrics data for a storage account. You can use this data to trace
requests, analyze usage trends, and diagnose issues with your storage account. Storage Analytics logging is
available for the Azure Blob, Azure Queue, and Azure Table storage services. Storage Analytics logs detailed
information about successful and failed requests to a storage service.
You can use this information to monitor individual requests and to diagnose issues with a storage service. Requests
are logged on a best-effort basis. Log entries are created only if there are requests made against the service
endpoint. For example, if a storage account has activity in its blob endpoint but not in its table or queue endpoints,
only logs that pertain to the Blob storage service are created.
To use Storage Analytics, enable it individually for each service you want to monitor. You can enable it in the Azure
portal. For more information, see Monitor a storage account in the Azure portal. You can also enable Storage
Analytics programmatically via the REST API or the client library. Use the Set Service Properties operation to
enable Storage Analytics individually for each service.
The aggregated data is stored in a well-known blob (for logging) and in well-known tables (for metrics), which you
can access by using the Blob storage service and Table storage service APIs.
Storage Analytics has a 20-terabyte (TB ) limit on the amount of stored data that is independent of the total limit for
your storage account. All logs are stored in block blobs in a container named $logs, which is automatically created
when you enable Storage Analytics for a storage account.
 NOTE
For more information about billing and data retention policies, see Storage Analytics and billing.
For more information about storage account limits, see Azure Storage scalability and performance targets.

Storage Analytics logs the following types of authenticated and anonymous requests:

AUTHENTICATED ANONYMOUS

Successful requests Successful requests

Failed requests, including timeout, throttling, network, Requests using a shared access signature, including failed and
authorization, and other errors successful requests

Requests using a shared access signature, including failed and Time-out errors for both client and server
successful requests

Requests to analytics data Failed GET requests with error code 304 (not modified)

Requests made by Storage Analytics itself, such as log creation All other failed anonymous requests are not logged. A full list
or deletion, are not logged. A full list of the logged data is of the logged data is documented in Storage Analytics logged
documented in Storage Analytics logged operations and operations and status messages and Storage Analytics log
status messages and Storage Analytics log format. format.

Azure networking logs

Network logging and monitoring in Azure is comprehensive and covers two broad categories:
Network Watcher: Scenario-based network monitoring is provided with the features in Network Watcher.
This service includes packet capture, next hop, IP flow verify, security group view, NSG flow logs. Scenario
level monitoring provides an end to end view of network resources in contrast to individual network
resource monitoring.
Resource monitoring: Resource level monitoring comprises four features, diagnostics logs, metrics,
troubleshooting, and resource health. All these features are built at the network resource level.

Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario
level in, to, and from Azure. Network diagnostics and visualization tools available with Network Watcher help you
understand, diagnose, and gain insights to your network in Azure.
Network Security Group flow logging
NSG flow logs are a feature of Network Watcher that you can use to view information about ingress and egress IP
traffic through an NSG. These flow logs are written in JSON format and show:
Outbound and inbound flows on a per-rule basis.
The NIC that the flow applies to.
5-tuple information about the flow: the source or destination IP, the source or destination port, and the
protocol.
Whether the traffic was allowed or denied.
Although flow logs target NSGs, they are not displayed in the same way as the other logs. Flow logs are stored
only within a storage account.
The same retention policies that are seen on other logs apply to flow logs. Logs have a retention policy that you
can set from 1 day to 365 days. If a retention policy is not set, the logs are maintained forever.
Diagnostics logs
Periodic and spontaneous events are created by network resources and logged in storage accounts, and sent to an
event hub or Log Analytics. The logs provide insights into the health of a resource. They can be viewed in tools
such as Power BI and Log Analytics. To learn how to view diagnostics logs, see Log Analytics.

Diagnostics logs are available for Load Balancer, Network Security Groups, Routes, and Application Gateway.
Network Watcher provides a diagnostics logs view. This view contains all networking resources that support
diagnostics logging. From this view, you can enable and disable networking resources conveniently and quickly.
In addition to the previously mentioned logging capabilities, Network Watcher currently has the following
capabilities:
Topology: Provides a network-level view that shows the various interconnections and associations between
network resources in a resource group.
Variable packet capture: Captures packet data in and out of a virtual machine. Advanced filtering options
and fine-tuning controls, such as time- and size-limitation settings, provide versatility. The packet data can
be stored in a blob store or on the local disk in .cap file format.
IP flow verification: Checks to see whether a packet is allowed or denied based on flow information 5-tuple
packet parameters (that is, destination IP, source IP, destination port, source port, and protocol). If the
 packet is denied by a security group, the rule and group that denied the packet is returned.
Next hop: Determines the next hop for packets being routed in the Azure network fabric, so that you can
diagnose any misconfigured user-defined routes.
Security group view: Gets the effective and applied security rules that are applied on a VM.
Virtual network gateway and connection troubleshooting: Helps you troubleshoot virtual network gateways
and connections.
Network subscription limits: Enables you to view network resource usage against limits.
Application Insights
Azure Application Insights is an extensible APM service for web developers on multiple platforms. Use it to
monitor live web applications. It automatically detects performance anomalies. It includes powerful analytics tools
to help you diagnose issues and to understand what users actually do with your app.
Application Insights is designed to help you continuously improve performance and usability.
It works for apps on a wide variety of platforms, including .NET, Node.js, and J2EE, whether they're hosted on-
premises or in the cloud. It integrates with your DevOps process and has connection points with various
development tools.

Application Insights is aimed at the development team, to help you understand how your app is performing and
how it's being used. It monitors:
Request rates, response times, and failure rates: Find out which pages are most popular, at what times
of day, and where your users are. See which pages perform best. If your response times and failure rates go
high when there are more requests, you might have a resourcing problem.
Dependency rates, response times, and failure rates: Find out whether external services are slowing
you down.
Exceptions: Analyze the aggregated statistics, or pick specific instances and drill into the stack trace and
related requests. Both server and browser exceptions are reported.
Page views and load performance: Get reports from your users' browsers.
AJAX calls: Get webpage rates, response times, and failure rates.
User and session counts.
Performance counters: Get data from your Windows or Linux server machines, such as CPU, memory,
and network usage.
Host diagnostics: Get data from Docker or Azure.
 Diagnostics trace logs: Get data from your app, so that you can correlate trace events with requests.
Custom events and metrics: Get data that you write yourself in the client or server code, to track business
events such as items sold or games won.
The following table lists and describes integration scenarios:

INTEGRATION SCENARIO DESCRIPTION

Application map The components of your app, with key metrics and alerts.

Diagnostics search for instance data Search and filter events such as requests, exceptions,
dependency calls, log traces, and page views.

Metrics Explorer for aggregated data Explore, filter, and segment aggregated data such as rates of
requests, failures, and exceptions; response times, page load
times.

Dashboards Mash up data from multiple resources and share with others.
Great for multi-component applications, and for continuous
display in the team room.

Live Metrics Stream When you deploy a new build, watch these near-real-time
performance indicators to make sure everything works as
expected.

Analytics Answer tough questions about your app's performance and

usage by using this powerful query language.

Automatic and manual alerts Automatic alerts adapt to your app's normal patterns of
telemetry and are triggered when there's something outside
the usual pattern. You can also set alerts on particular levels of
custom or standard metrics.

Visual Studio View performance data in the code. Go to code from stack
traces.

Power BI Integrate usage metrics with other business intelligence.

REST API Write code to run queries over your metrics and raw data.

Continuous export Bulk export of raw data to storage when it arrives.

Azure Security Center alerts

Azure Security Center threat detection works by automatically collecting security information from your Azure
resources, the network, and connected partner solutions. It analyzes this information, often correlating information
from multiple sources, to identify threats. Security alerts are prioritized in Security Center along with
recommendations on how to remediate the threat. For more information, see Azure Security Center.
Security Center employs advanced security analytics, which go far beyond signature-based approaches. It applies
breakthroughs in large data and machine learning technologies to evaluate events across the entire cloud fabric. In
this way, it detects threats that would be impossible to identify by using manual approaches and predicting the
evolution of attacks. These security analytics include:
Integrated threat intelligence: Looks for known bad actors by applying global threat intelligence from
Microsoft products and services, the Microsoft Digital Crimes Unit (DCU ), the Microsoft Security Response
Center (MSRC ), and external feeds.
Behavioral analytics: Applies known patterns to discover malicious behavior.
Anomaly detection: Uses statistical profiling to build a historical baseline. It alerts on deviations from
established baselines that conform to a potential attack vector.
Many security operations and incident response teams rely on a SIEM solution as the starting point for triaging
and investigating security alerts. With Azure Log Integration, you can sync Security Center alerts and virtual
machine security events, collected by Azure diagnostics and audit logs, with your Log Analytics or SIEM solution in
near real time.

Log Analytics
Log Analytics is a service in Azure that helps you collect and analyze data that's generated by resources in your
cloud and on-premises environments. It gives you real-time insights by using integrated search and custom
dashboards to readily analyze millions of records across all your workloads and servers, regardless of their
physical location.
At the center of Log Analytics is the Log Analytics workspace, which is hosted in Azure. Log Analytics collects data
in the workspace from connected sources by configuring data sources and adding solutions to your subscription.
Data sources and solutions each create different record types, each with its own set of properties. But sources and
solutions can still be analyzed together in queries to the workspace. This capability allows you to use the same
tools and methods to work with a variety of data collected by a variety of sources.
Connected sources are the computers and other resources that generate the data that's collected by Log Analytics.
Sources can include agents that are installed on Windows and Linux computers that connect directly, or agents in a
connected System Center Operations Manager management group. Log Analytics can also collect data from an
Azure storage account.
Data sources are the various kinds of data that's collected from each connected source. Sources include events and
performance data from Windows and Linux agents, in addition to sources such as IIS logs and custom text logs.
You configure each data source that you want to collect, and the configuration is automatically delivered to each
connected source.
There are four ways to collect logs and metrics for Azure services:
Azure Diagnostics direct to Log Analytics (Diagnostics in the following table)
Azure Diagnostics to Azure storage to Log Analytics (Storage in the following table)
Connectors for Azure services ( Connector in the following table)
Scripts to collect and then post data into Log Analytics (blank cells in the following table and for services
that are not listed)

SERVICE RESOURCE TYPE LOGS METRICS SOLUTION

Azure Application Microsoft.Network/ Diagnostics Diagnostics Azure Application

Gateway applicationGateways Gateway Analytics

Application Insights Connector Connector Application Insights

Connector (Preview)

Azure Automation Microsoft.Automation Diagnostics More information

accounts /
AutomationAccounts

Azure Batch accounts Microsoft.Batch/ Diagnostics Diagnostics

batchAccounts
SERVICE RESOURCE TYPE LOGS METRICS SOLUTION

Classic cloud services Storage More information

Cognitive Services Microsoft.CognitiveSe Diagnostics

rvices/
accounts

Azure Data Lake Microsoft.DataLakeAn Diagnostics

Analytics alytics/
accounts

Azure Data Lake Store Microsoft.DataLakeSt Diagnostics

ore/
accounts

Azure Event Hub Microsoft.EventHub/ Diagnostics Diagnostics

namespace namespaces

Azure IoT Hub Microsoft.Devices/ Diagnostics

IotHubs

Azure Key Vault Microsoft.KeyVault/ Diagnostics Key Vault Analytics

vaults

Azure Load Balancer Microsoft.Network/ Diagnostics

loadBalancers

Azure Logic Apps Microsoft.Logic/ Diagnostics Diagnostics

workflows

Microsoft.Logic/
integrationAccounts

Network Security Microsoft.Network/ Diagnostics Azure Network

Groups networksecuritygroup Security Group
s analytics

Recovery vaults Microsoft.RecoverySer Azure Recovery

vices/ Services Analytics
vaults (Preview)

Search services Microsoft.Search/ Diagnostics Diagnostics

searchServices

Service Bus Microsoft.ServiceBus/ Diagnostics Diagnostics Service Bus Analytics

namespace namespaces (Preview)

Service Fabric Storage Service Fabric

Analytics (Preview)

SQL (v12) Microsoft.Sql/ Diagnostics

servers/
databases
 SERVICE RESOURCE TYPE LOGS METRICS SOLUTION

Microsoft.Sql/
servers/
elasticPools

Storage Script Azure Storage

Analytics (Preview)

Azure Virtual Microsoft.Compute/ Extension Extension

Machines virtualMachines

Diagnostics

Virtual machine scale Microsoft.Compute/ Diagnostics

sets virtualMachines

Microsoft.Compute/
virtualMachineScaleSe
ts/
virtualMachines

Web server farms Microsoft.Web/ Diagnostics

serverfarms

Websites Microsoft.Web/ Diagnostics More information

sites

Microsoft.Web/
sites/
slots

Log Integration with on-premises SIEM systems

With Azure Log Integration you can integrate raw logs from your Azure resources with your on-premises SIEM
system (Security information and event management system). AzLog downloads were disabled on Jun 27, 2018.
For guidance on what to do moving forward review the post Use Azure monitor to integrate with SIEM tools

Log Integration collects Azure diagnostics from your Windows virtual machines, Azure activity logs, Azure Security
Center alerts, and Azure resource provider logs. This integration provides a unified dashboard for all your assets,
whether they're on-premises or in the cloud, so that you can aggregate, correlate, analyze, and alert for security
events.
Log Integration currently supports the integration of Azure activity logs, Windows event logs from Windows
virtual machines with your Azure subscription, Azure Security Center alerts, Azure diagnostics logs, and Azure AD
audit logs.

LOG ANALYTICS SUPPORTING JSON (SPLUNK , ARCSIGHT, AND IBM

LOG TYPE QRADAR)

Azure AD audit logs Yes

Activity logs Yes

Security Center alerts Yes

Diagnostics logs (resource logs) Yes

VM logs Yes, via forwarded events and not through JSON

Get started with Azure Log Integration: This tutorial walks you through installing Azure Log Integration and
integrating logs from Azure storage, Azure activity logs, Azure Security Center alerts, and Azure AD audit logs.
Integration scenarios for SIEM:
Partner configuration steps: This blog post shows you how to configure Azure Log Integration to work with
partner solutions Splunk, HP ArcSight, and IBM QRadar.
Azure Log Integration FAQ: This article answers questions about Azure Log Integration.
Integrating Security Center alerts with Azure Log Integration: This article discusses how to sync Security
Center alerts, virtual machine security events collected by Azure diagnostics logs, and Azure audit logs with
your Log Analytics or SIEM solution.

Next steps
Auditing and logging: Protect data by maintaining visibility and responding quickly to timely security alerts.
Security logging and audit-log collection within Azure: Enforce these settings to ensure that your Azure
instances are collecting the correct security and audit logs.
Configure audit settings for a site collection: If you're a site collection administrator, retrieve the history of
individual users' actions and the history of actions taken during a particular date range.
Search the audit log in the Office 365 Security & Compliance Center: Use the Office 365 Security &
Compliance Center to search the unified audit log and view user and administrator activity in your Office
365 organization.
 Azure network security
9/5/2018 • 2 minutes to read • Edit Online

Abstract
Azure network services maximize flexibility, availability, resiliency, security, and integrity by design. This white paper
provides details on the networking functions of Azure. It also describes how customers can use the native security
features in Azure to help protect their information assets. The intended audiences for this white paper include:
Technical managers, network administrators, and developers who are looking for security solutions that are
available and supported in Azure.
SMEs or business process executives who want a high-level overview of the Azure technologies and services
that relate to network security in the Azure public cloud.
Download the white paper
 Azure Functions and serverless platform security
12/12/2018 • 2 minutes to read • Edit Online

Abstract
Most enterprises need a significant amount of resources and time to manage servers, which adds cost. If
enterprises can use fewer resources to manage servers, they can focus on building great applications.
Serverless computing helps you do just that, because the infrastructure that you need to run and scale your apps is
managed for you. Serverless computing is the abstraction of servers, infrastructure, and operating systems.
Serverless computing is driven by the reaction to events and triggers, which are all taking place in near real-time—
in the cloud.
As a fully managed service, server management and capacity planning are invisible to the developer. The serverless
framework helps you develop and deploy serverless applications by using Azure Functions. It's a command-line
interface (CLI) that offers structure and automation to help you build sophisticated, event-driven, serverless
architectures composed of functions and events. An Azure function is an independent unit of deployment, like a
microservice. It's merely code, deployed in the cloud, that is most often written to perform a single job.
Despite the benefits, serverless security has its own risk factors to deal with. The serverless approach doesn’t
introduce new security concerns, but it requires having an approach to existing security concerns. This white paper
focuses on these security matters:
Benefits of a serverless platform
Security issues in serverless computing
Critical security issues and mitigations in the context of Azure
Securing the Microsoft serverless platform
Download the white paper
 Container security in Microsoft Azure
9/5/2018 • 2 minutes to read • Edit Online

Abstract
Container technology is causing a structural change in the cloud-computing world. Containers make it possible to
run multiple instances of an application on a single instance of an operating system, thereby using resources more
efficiently. Containers give organizations consistency and flexibility. They enable continuous deployment because
the application can be developed on a desktop, tested in a virtual machine, and then deployed for production in the
cloud. Containers provide agility, streamlined operations, scalability, and reduced costs due to resource
optimization.
Because container technology is relatively new, many IT professionals have security concerns about the lack of
visibility and usage in a production environment. Development teams are often unaware of security best practices.
This white paper can help security operations teams and developers in selecting approaches to secure container
development and deployments on the Microsoft Azure platform.
This paper describes containers, container deployment and management, and native platform services. It also
describes runtime security issues that arise with the use of containers on the Azure platform. In figures and
examples, this paper focuses on Docker as the container model and Kubernetes as the container orchestrator. Most
of the security recommendations also apply to other container models from Microsoft partners on the Azure
platform.
Download the white paper
 Azure Operational Security
9/5/2018 • 2 minutes to read • Edit Online

Abstract
Microsoft Azure operational security refers to the services, controls, and features available to users for protecting
their data, applications, and other assets in Azure. Azure operational security is built on a framework that
incorporates the knowledge gained through various capabilities that are unique to Microsoft, including the
Microsoft Security Development Lifecycle (SDL ), the Microsoft Security Response Center program, and deep
awareness of the cybersecurity threat landscape. This white paper outlines how you can approach operational
security by using Azure. It covers several Azure services, including:
Azure Log Analytics
Azure Backup
Azure Security Center
Azure Monitor
Azure Network Watcher
Azure Storage Analytics
Azure Active Directory
Download the white paper
 Isolation in the Azure Public Cloud
2/4/2019 • 22 minutes to read • Edit Online

Introduction
Overview
To assist current and prospective Azure customers understand and utilize the various security-related capabilities
available in and surrounding the Azure platform, Microsoft has developed a series of White Papers, Security
Overviews, Best Practices, and Checklists. The topics range in terms of breadth and depth and are updated
periodically. This document is part of that series as summarized in the Abstract section following.
Azure Platform
Azure is an open and flexible cloud service platform that supports the broadest selection of operating systems,
programming languages, frameworks, tools, databases, and devices. For example, you can:
Run Linux containers with Docker integration;
Build apps with JavaScript, Python, .NET, PHP, Java, and Node.js; and
Build back-ends for iOS, Android, and Windows devices.
Microsoft Azure supports the same technologies millions of developers and IT professionals already rely on and
trust.
When you build on, or migrate IT assets to, a public cloud service provider, you are relying on that organization’s
abilities to protect your applications and data with the services and the controls they provide to manage the
security of your cloud-based assets.
Azure’s infrastructure is designed from the facility to applications for hosting millions of customers simultaneously,
and it provides a trustworthy foundation upon which businesses can meet their security needs. In addition, Azure
provides you with a wide array of configurable security options and the ability to control them so that you can
customize security to meet the unique requirements of your deployments. This document helps you meet these
requirements.
Abstract
Microsoft Azure allows you to run applications and virtual machines (VMs) on shared physical infrastructure. One
of the prime economic motivations to running applications in a cloud environment is the ability to distribute the
cost of shared resources among multiple customers. This practice of multi-tenancy improves efficiency by
multiplexing resources among disparate customers at low costs. Unfortunately, it also introduces the risk of
sharing physical servers and other infrastructure resources to run your sensitive applications and VMs that may
belong to an arbitrary and potentially malicious user.
This article outlines how Microsoft Azure provides isolation against both malicious and non-malicious users and
serves as a guide for architecting cloud solutions by offering various isolation choices to architects. This white
paper focuses on the technology of Azure platform and customer-facing security controls, and does not attempt to
address SLAs, pricing models, and DevOps practice considerations.

Tenant Level Isolation

One of the primary benefits of cloud computing is concept of a shared, common infrastructure across numerous
customers simultaneously, leading to economies of scale. This concept is called multi-tenancy. Microsoft works
continuously to ensure that the multi-tenant architecture of Microsoft Cloud Azure supports security,
confidentiality, privacy, integrity, and availability standards.
In the cloud-enabled workplace, a tenant can be defined as a client or organization that owns and manages a
specific instance of that cloud service. With the identity platform provided by Microsoft Azure, a tenant is simply a
dedicated instance of Azure Active Directory (Azure AD ) that your organization receives and owns when it signs up
for a Microsoft cloud service.
Each Azure AD directory is distinct and separate from other Azure AD directories. Just like a corporate office
building is a secure asset specific to only your organization, an Azure AD directory was also designed to be a
secure asset for use by only your organization. The Azure AD architecture isolates customer data and identity
information from co-mingling. This means that users and administrators of one Azure AD directory cannot
accidentally or maliciously access data in another directory.
Azure Tenancy
Azure tenancy (Azure Subscription) refers to a “customer/billing” relationship and a unique tenant in Azure Active
Directory. Tenant level isolation in Microsoft Azure is achieved using Azure Active Directory and role-based
controls offered by it. Each Azure subscription is associated with one Azure Active Directory (AD ) directory.
Users, groups, and applications from that directory can manage resources in the Azure subscription. You can
assign these access rights using the Azure portal, Azure command-line tools, and Azure Management APIs. An
Azure AD tenant is logically isolated using security boundaries so that no customer can access or compromise co-
tenants, either maliciously or accidentally. Azure AD runs on “bare metal” servers isolated on a segregated network
segment, where host-level packet filtering and Windows Firewall block unwanted connections and traffic.
Access to data in Azure AD requires user authentication via a security token service (STS ). Information on the
user’s existence, enabled state, and role is used by the authorization system to determine whether the requested
access to the target tenant is authorized for this user in this session.

Tenants are discrete containers and there is no relationship between these.

No access across tenants unless tenant admin grants it through federation or provisioning user accounts
from other tenants.
Physical access to servers that comprise the Azure AD service, and direct access to Azure AD’s back-end
systems, is restricted.
Azure AD users have no access to physical assets or locations, and therefore it is not possible for them to
bypass the logical RBAC policy checks stated following.
For diagnostics and maintenance needs, an operational model that employs a just-in-time privilege elevation
system is required and used. Azure AD Privileged Identity Management (PIM ) introduces the concept of an eligible
admin. Eligible admins should be users that need privileged access now and then, but not every day. The role is
inactive until the user needs access, then they complete an activation process and become an active admin for a
predetermined amount of time.

Azure Active Directory hosts each tenant in its own protected container, with policies and permissions to and within
the container solely owned and managed by the tenant.
The concept of tenant containers is deeply ingrained in the directory service at all layers, from portals all the way to
persistent storage.
Even when metadata from multiple Azure Active Directory tenants is stored on the same physical disk, there is no
relationship between the containers other than what is defined by the directory service, which in turn is dictated by
the tenant administrator.
Azure Role -Based Access Control (RBAC )
Azure Role-Based Access Control (RBAC ) helps you to share various components available within an Azure
subscription by providing fine-grained access management for Azure. Azure RBAC enables you to segregate duties
within your organization and grant access based on what users need to perform their jobs. Instead of giving
everybody unrestricted permissions in Azure subscription or resources, you can allow only certain actions.
Azure RBAC has three basic roles that apply to all resource types:
Owner has full access to all resources including the right to delegate access to others.
Contributor can create and manage all types of Azure resources but can’t grant access to others.
Reader can view existing Azure resources.
The rest of the RBAC roles in Azure allow management of specific Azure resources. For example, the Virtual
Machine Contributor role allows the user to create and manage virtual machines. It does not give them access to
the Azure Virtual Network or the subnet that the virtual machine connects to.
RBAC built-in roles list the roles available in Azure. It specifies the operations and scope that each built-in role
grants to users. If you're looking to define your own roles for even more control, see how to build Custom roles in
Azure RBAC.
Some other capabilities for Azure Active Directory include:
Azure AD enables SSO to SaaS applications, regardless of where they are hosted. Some applications are
federated with Azure AD, and others use password SSO. Federated applications can also support user
provisioning and password vaulting.
Access to data in Azure Storage is controlled via authentication. Each storage account has a primary key
(storage account key, or SAK) and a secondary secret key (the shared access signature, or SAS ).
Azure AD provides Identity as a Service through federation by using Active Directory Federation Services,
synchronization, and replication with on-premises directories.
Azure Multi-Factor Authentication is the multi-factor authentication service that requires users to verify
sign-ins by using a mobile app, phone call, or text message. It can be used with Azure AD to help secure on-
premises resources with the Azure Multi-Factor Authentication server, and also with custom applications
and directories using the SDK.
Azure AD Domain Services lets you join Azure virtual machines to an Active Directory domain without
deploying domain controllers. You can sign in to these virtual machines with your corporate Active
Directory credentials and administer domain-joined virtual machines by using Group Policy to enforce
security baselines on all your Azure virtual machines.
Azure Active Directory B2C provides a highly available global-identity management service for consumer-
facing applications that scales to hundreds of millions of identities. It can be integrated across mobile and
web platforms. Your consumers can sign in to all your applications through customizable experiences by
using their existing social accounts or by creating credentials.
Isolation from Microsoft Administrators & Data Deletion
Microsoft takes strong measures to protect your data from inappropriate access or use by unauthorized persons.
These operational processes and controls are backed by the Online Services Terms, which offer contractual
commitments that govern access to your data.
Microsoft engineers do not have default access to your data in the cloud. Instead, they are granted access,
under management oversight, only when necessary. That access is carefully controlled and logged, and
revoked when it is no longer needed.
Microsoft may hire other companies to provide limited services on its behalf. Subcontractors may access
customer data only to deliver the services for which, we have hired them to provide, and they are prohibited
from using it for any other purpose. Further, they are contractually bound to maintain the confidentiality of
our customers’ information.
Business services with audited certifications such as ISO/IEC 27001 are regularly verified by Microsoft and
accredited audit firms, which perform sample audits to attest that access, only for legitimate business purposes.
You can always access your own customer data at any time and for any reason.
If you delete any data, Microsoft Azure deletes the data, including any cached or backup copies. For in-scope
services, that deletion will occur within 90 days after the end of the retention period. (In-scope services are defined
in the Data Processing Terms section of our Online Services Terms.)
If a disk drive used for storage suffers a hardware failure, it is securely erased or destroyed before Microsoft
returns it to the manufacturer for replacement or repair. The data on the drive is overwritten to ensure that the data
cannot be recovered by any means.

Compute Isolation
Microsoft Azure provides various cloud-based computing services that include a wide selection of compute
instances & services that can scale up and down automatically to meet the needs of your application or enterprise.
These compute instance and service offer isolation at multiple levels to secure data without sacrificing the flexibility
in configuration that customers demand.
Isolated Virtual Machine Sizes
Azure Compute offers virtual machine sizes that are Isolated to a specific hardware type and dedicated to a single
customer. These virtual machine sizes are best suited for workloads that require a high degree of isolation from
other customers for workloads involving elements like compliance and regulatory requirements. Customers can
also choose to further subdivide the resources of these Isolated virtual machines by using Azure support for
nested virtual machines.
Utilizing an isolated size guarantees that your virtual machine will be the only one running on that specific server
instance. The current Isolated virtual machine offerings include:
Standard_E64is_v3
Standard_E64i_v3
Standard_M128ms
Standard_GS5
Standard_G5
Standard_DS15_v2
Standard_D15_v2
You can learn more about each Isolated size available here.
Hyper-V & Root OS Isolation Between Root VM & Guest VMs
Azure’s compute platform is based on machine virtualization—meaning that all customer code executes in a
Hyper-V virtual machine. On each Azure node (or network endpoint), there is a Hypervisor that runs directly over
the hardware and divides a node into a variable number of Guest Virtual Machines (VMs).
Each node also has one special Root VM, which runs the Host OS. A critical boundary is the isolation of the root
VM from the guest VMs and the guest VMs from one another, managed by the hypervisor and the root OS. The
hypervisor/root OS pairing leverages Microsoft's decades of operating system security experience, and more
recent learning from Microsoft's Hyper-V, to provide strong isolation of guest VMs.
The Azure platform uses a virtualized environment. User instances operate as standalone virtual machines that do
not have access to a physical host server.
The Azure hypervisor acts like a micro-kernel and passes all hardware access requests from guest virtual machines
to the host for processing by using a shared-memory interface called VMBus. This prevents users from obtaining
raw read/write/execute access to the system and mitigates the risk of sharing system resources.
Advanced VM placement algorithm & protection from side channel attacks
Any cross-VM attack involves two steps: placing an adversary-controlled VM on the same host as one of the victim
VMs, and then breaching the isolation boundary to either steal sensitive victim information or affect its
performance for greed or vandalism. Microsoft Azure provides protection at both steps by using an advanced VM
placement algorithm and protection from all known side channel attacks including noisy neighbor VMs.
The Azure Fabric Controller
The Azure Fabric Controller is responsible for allocating infrastructure resources to tenant workloads, and it
manages unidirectional communications from the host to virtual machines. The VM placing algorithm of the Azure
fabric controller is highly sophisticated and nearly impossible to predict as physical host level.
The Azure hypervisor enforces memory and process separation between virtual machines, and it securely routes
network traffic to guest OS tenants. This eliminates possibility of and side channel attack at VM level.
In Azure, the root VM is special: it runs a hardened operating system called the root OS that hosts a fabric agent
(FA). FAs are used in turn to manage guest agents (GA) within guest OSes on customer VMs. FAs also manage
storage nodes.
The collection of Azure hypervisor, root OS/FA, and customer VMs/GAs comprises a compute node. FAs are
managed by a fabric controller (FC ), which exists outside of compute and storage nodes (compute and storage
clusters are managed by separate FCs). If a customer updates their application’s configuration file while it’s
running, the FC communicates with the FA, which then contacts GAs, which notify the application of the
configuration change. In the event of a hardware failure, the FC will automatically find available hardware and
restart the VM there.

Communication from a Fabric Controller to an agent is unidirectional. The agent implements an SSL -protected
service that only responds to requests from the controller. It cannot initiate connections to the controller or other
privileged internal nodes. The FC treats all responses as if they were untrusted.
Isolation extends from the Root VM from Guest VMs, and the Guest VMs from one another. Compute nodes are
also isolated from storage nodes for increased protection.
The hypervisor and the host OS provide network packet - filters to help assure that untrusted virtual machines
cannot generate spoofed traffic or receive traffic not addressed to them, direct traffic to protected infrastructure
endpoints, or send/receive inappropriate broadcast traffic.
Additional Rules Configured by Fabric Controller Agent to Isolate VM
By default, all traffic is blocked when a virtual machine is created, and then the fabric controller agent configures
the packet filter to add rules and exceptions to allow authorized traffic.
There are two categories of rules that are programmed:
Machine configuration or infrastructure rules: By default, all communication is blocked. There are
exceptions to allow a virtual machine to send and receive DHCP and DNS traffic. Virtual machines can also
send traffic to the “public” internet and send traffic to other virtual machines within the same Azure Virtual
Network and the OS activation server. The virtual machines’ list of allowed outgoing destinations does not
include Azure router subnets, Azure management, and other Microsoft properties.
Role configuration file: This defines the inbound Access Control Lists (ACLs) based on the tenant's
service model.
VLAN Isolation
There are three VLANs in each cluster:
 The main VLAN – interconnects untrusted customer nodes
The FC VLAN – contains trusted FCs and supporting systems
The device VLAN – contains trusted network and other infrastructure devices
Communication is permitted from the FC VLAN to the main VLAN, but cannot be initiated from the main VLAN
to the FC VLAN. Communication is also blocked from the main VLAN to the device VLAN. This assures that even
if a node running customer code is compromised, it cannot attack nodes on either the FC or device VLANs.

Storage Isolation
Logical Isolation Between Compute and Storage
As part of its fundamental design, Microsoft Azure separates VM -based computation from storage. This separation
enables computation and storage to scale independently, making it easier to provide multi-tenancy and isolation.
Therefore, Azure Storage runs on separate hardware with no network connectivity to Azure Compute except
logically. This means that when a virtual disk is created, disk space is not allocated for its entire capacity. Instead, a
table is created that maps addresses on the virtual disk to areas on the physical disk and that table is initially empty.
The first time a customer writes data on the virtual disk, space on the physical disk is allocated, and a
pointer to it is placed in the table.
Isolation Using Storage Access control
Access Control in Azure Storage has a simple access control model. Each Azure subscription can create one or
more Storage Accounts. Each Storage Account has a single secret key that is used to control access to all data in
that Storage Account.
Access to Azure Storage data (including Tables) can be controlled through a SAS (Shared Access Signature)
token, which grants scoped access. The SAS is created through a query template (URL ), signed with the SAK
(Storage Account Key). That signed URL can be given to another process (that is, delegated), which can then fill in
the details of the query and make the request of the storage service. A SAS enables you to grant time-based access
to clients without revealing the storage account’s secret key.
The SAS means that we can grant a client limited permissions, to objects in our storage account for a specified
period of time and with a specified set of permissions. We can grant these limited permissions without having to
share your account access keys.
IP Level Storage Isolation
You can establish firewalls and define an IP address range for your trusted clients. With an IP address range, only
clients that have an IP address within the defined range can connect to Azure Storage.
IP storage data can be protected from unauthorized users via a networking mechanism that is used to allocate a
dedicated or dedicated tunnel of traffic to IP storage.
Encryption
Azure offers the following types of Encryption to protect data:
Encryption in transit
Encryption at rest
Encryption in Transit
Encryption in transit is a mechanism of protecting data when it is transmitted across networks. With Azure Storage,
you can secure data using:
Transport-level encryption, such as HTTPS when you transfer data into or out of Azure Storage.
Wire encryption, such as SMB 3.0 encryption for Azure File shares.
Client-side encryption, to encrypt the data before it is transferred into storage and to decrypt the data after
it is transferred out of storage.
Encryption at Rest
For many organizations, data encryption at rest is a mandatory step towards data privacy, compliance, and data
sovereignty. There are three Azure features that provide encryption of data that is “at rest”:
Storage Service Encryption allows you to request that the storage service automatically encrypt data when
writing it to Azure Storage.
Client-side Encryption also provides the feature of encryption at rest.
Azure Disk Encryption allows you to encrypt the OS disks and data disks used by an IaaS virtual machine.
Azure Disk Encryption
Azure Disk Encryption for virtual machines (VMs) helps you address organizational security and compliance
requirements by encrypting your VM disks (including boot and data disks) with keys and policies you control in
Azure Key Vault.
The Disk Encryption solution for Windows is based on Microsoft BitLocker Drive Encryption, and the Linux
solution is based on dm-crypt.
The solution supports the following scenarios for IaaS VMs when they are enabled in Microsoft Azure:
Integration with Azure Key Vault
Standard tier VMs: A, D, DS, G, GS, and so forth, series IaaS VMs
Enabling encryption on Windows and Linux IaaS VMs
Disabling encryption on OS and data drives for Windows IaaS VMs
Disabling encryption on data drives for Linux IaaS VMs
Enabling encryption on IaaS VMs that are running Windows client OS
Enabling encryption on volumes with mount paths
Enabling encryption on Linux VMs that are configured with disk striping (RAID ) by using mdadm
Enabling encryption on Linux VMs by using LVM (Logical Volume Manager) for data disks
Enabling encryption on Windows VMs that are configured by using storage spaces
All Azure public regions are supported
The solution does not support the following scenarios, features, and technology in the release:
Basic tier IaaS VMs
Disabling encryption on an OS drive for Linux IaaS VMs
IaaS VMs that are created by using the classic VM creation method
Integration with your on-premises Key Management Service
Azure Files (shared file system), Network File System (NFS ), dynamic volumes, and Windows VMs that are
configured with software-based RAID systems

SQL Azure Database Isolation

SQL Database is a relational database service in the Microsoft cloud based on the market-leading Microsoft SQL
Server engine and capable of handling mission-critical workloads. SQL Database offers predictable data isolation
at account level, geography / region based and based on networking— all with near-zero administration.
SQL Azure Application Model
Microsoft SQL Azure Database is a cloud-based relational database service built on SQL Server technologies. It
provides a highly available, scalable, multi-tenant database service hosted by Microsoft in cloud.
From an application perspective SQL Azure provides the following hierarchy: Each level has one-to-many
containment of levels below.

The account and subscription are Microsoft Azure platform concepts to associate billing and management.
Logical servers and databases are SQL Azure-specific concepts and are managed by using SQL Azure, provided
OData and TSQL interfaces or via SQL Azure portal that integrated into Azure portal.
SQL Azure servers are not physical or VM instances, instead they are collections of databases, sharing
management and security policies, which are stored in so called “logical master” database.

Logical master databases include:

SQL logins used to connect to the server
Firewall rules
Billing and usage-related information for SQL Azure databases from the same logical server are not guaranteed to
be on the same physical instance in SQL Azure cluster, instead applications must provide the target database name
when connecting.
From a customer perspective, a logical server is created in a geo-graphical region while the actual creation of the
server happens in one of the clusters in the region.
Isolation through Network Topology
When a logical server is created and its DNS name is registered, the DNS name points to the so called “Gateway
VIP” address in the specific data center where the server was placed.
Behind the VIP (virtual IP address), we have a collection of stateless gateway services. In general, gateways get
involved when there is coordination needed between multiple data sources (master database, user database, etc.).
Gateway services implement the following:
TDS connection proxying. This includes locating user database in the backend cluster, implementing the
login sequence and then forwarding the TDS packets to the backend and back.
Database management. This includes implementing a collection of workflows to do
CREATE/ALTER/DROP database operations. The database operations can be invoked by either sniffing TDS
packets or explicit OData APIs.
CREATE/ALTER/DROP login/user operations
Logical server management operations via OData API

The tier behind the gateways is called “back-end”. This is where all the data is stored in a highly available fashion.
Each piece of data is said to belong to a “partition” or “failover unit”, each of them having at least three replicas.
Replicas are stored and replicated by SQL Server engine and managed by a failover system often referred to as
“fabric”.
Generally, the back-end system does not communicate outbound to other systems as a security precaution. This is
reserved to the systems in the front-end (gateway) tier. The gateway tier machines have limited privileges on the
back-end machines to minimize the attack surface as a defense-in-depth mechanism.
Isolation by Machine Function and Access
SQL Azure (is composed of services running on different machine functions. SQL Azure is divided into “backend”
Cloud Database and “front-end” (Gateway/Management) environments, with the general principle of traffic only
going into back-end and not out. The front-end environment can communicate to the outside world of other
services and in general, has only limited permissions in the back-end (enough to call the entry points it needs to
invoke).

Networking Isolation
Azure deployment has multiple layers of network isolation. The following diagram shows various layers of network
isolation Azure provides to customers. These layers are both native in the Azure platform itself and customer-
defined features. Inbound from the Internet, Azure DDoS provides isolation against large-scale attacks against
Azure. The next layer of isolation is customer-defined public IP addresses (endpoints), which are used to determine
which traffic can pass through the cloud service to the virtual network. Native Azure virtual network isolation
ensures complete isolation from all other networks, and that traffic only flows through user configured paths and
methods. These paths and methods are the next layer, where NSGs, UDR, and network virtual appliances can be
used to create isolation boundaries to protect the application deployments in the protected network.

Traffic isolation: A virtual network is the traffic isolation boundary on the Azure platform. Virtual machines (VMs)
in one virtual network cannot communicate directly to VMs in a different virtual network, even if both virtual
networks are created by the same customer. Isolation is a critical property that ensures customer VMs and
communication remains private within a virtual network.
Subnet offers an additional layer of isolation with in virtual network based on IP range. IP addresses in the virtual
network, you can divide a virtual network into multiple subnets for organization and security. VMs and PaaS role
instances deployed to subnets (same or different) within a VNet can communicate with each other without any
extra configuration. You can also configure network security group (NSGs) to allow or deny network traffic to a VM
instance based on rules configured in access control list (ACL ) of NSG. NSGs can be associated with either subnets
or individual VM instances within that subnet. When an NSG is associated with a subnet, the ACL rules apply to all
the VM instances in that subnet.

Next Steps
Network Isolation Options for Machines in Windows Azure Virtual Networks
This includes the classic front-end and back-end scenario where machines in a particular back-end network or
subnetwork may only allow certain clients or other computers to connect to a particular endpoint based on a
whitelist of IP addresses.
Compute Isolation
Microsoft Azure provides a various cloud-based computing services that include a wide selection of compute
instances & services that can scale up and down automatically to meet the needs of your application or enterprise.
Storage Isolation
Microsoft Azure separates customer VM -based computation from storage. This separation enables computation
and storage to scale independently, making it easier to provide multi-tenancy and isolation. Therefore, Azure
Storage runs on separate hardware with no network connectivity to Azure Compute except logically. All requests
run over HTTP or HTTPS based on customer’s choice.
 Azure security technical capabilities
2/4/2019 • 31 minutes to read • Edit Online

To assist current and prospective Azure customers understand and utilize the various security-related capabilities
available in and surrounding the Azure Platform, Microsoft has developed a series of White Papers, Security
Overviews, Best Practices, and Checklists. The topics range in terms of breadth and depth and are updated
periodically. This document is part of that series as summarized in the Abstract section below. Further information
on this Azure Security series can be found at (URL ).

Azure platform
Microsoft Azure is a cloud platform comprised of infrastructure and application services, with integrated data
services and advanced analytics, and developer tools and services, hosted within Microsoft’s public cloud data
centers. Customers use Azure for many different capacities and scenarios, from basic compute, networking, and
storage, to mobile and web app services, to full cloud scenarios like Internet of Things, and can be used with open
source technologies, and deployed as hybrid cloud or hosted within a customer’s datacenter. Azure provides cloud
technology as building blocks to help companies save costs, innovate quickly, and manage systems proactively.
When you build on, or migrate IT assets to a cloud provider, you are relying on that organization’s abilities to
protect your applications and data with the services and the controls they provide to manage the security of your
cloud-based assets.
Microsoft Azure is the only cloud computing provider that offers a secure, consistent application platform and
infrastructure-as-a-service for teams to work within their different cloud skillsets and levels of project complexity,
with integrated data services and analytics that uncover intelligence from data wherever it exists, across both
Microsoft and non-Microsoft platforms, open frameworks and tools, providing choice for integrating cloud with
on-premises as well deploying Azure cloud services within on-premises datacenters. As part of the Microsoft
Trusted Cloud, customers rely on Azure for industry-leading security, reliability, compliance, privacy, and the vast
network of people, partners, and processes to support organizations in the cloud.
With Microsoft Azure, you can:
Accelerate innovation with the cloud.
Power business decisions & apps with insights.
Build freely and deploy anywhere.
Protect their business.

Scope
The focal point of this whitepaper concerns security features and functionality supporting Microsoft Azure’s core
components, namely Microsoft Azure Storage, Microsoft Azure SQL Database, Microsoft Azure’s virtual machine
model, and the tools and infrastructure that manage it all. This white paper focus on Microsoft Azure technical
capabilities available to you as customers to fulfil their role in protecting the security and privacy of their data.
The importance of understanding this shared responsibility model is essential for customers who are moving to
the cloud. Cloud providers offer considerable advantages for security and compliance efforts, but these advantages
do not absolve the customer from protecting their users, applications, and service offerings.
For IaaS solutions, the customer is responsible or has a shared responsibility for securing and managing the
operating system, network configuration, applications, identity, clients, and data. PaaS solutions build on IaaS
deployments, the customer is still responsible or has a shared responsibility for securing and managing
applications, identity, clients, and data. For SaaS solutions, Nonetheless, the customer continues to be accountable.
They must ensure that data is classified correctly, and they share a responsibility to manage their users and end-
point devices.
This document does not provide detailed coverage of any of the related Microsoft Azure platform components
such as Azure Web Sites, Azure Active Directory, HDInsight, Media Services, and other services that are layered
atop the core components. Although a minimum level of general information is provided, readers are assumed
familiar with Azure basic concepts as described in other references provided by Microsoft and included in links
provided in this white paper.

Available security technical capabilities to fulfil user (Customer)

responsibility - Big picture
Microsoft Azure provides services that can help customers meet the security, privacy, and compliance needs. The
Following picture helps explain various Azure services available for users to build a secure and compliant
application infrastructure based on industry standards.

Manage and control identity and user access (Protect)

Azure helps you protect business and personal information by enabling you to manage user identities and
credentials and control access.
Azure Active Directory
Microsoft identity and access management solutions help IT protect access to applications and resources across
the corporate datacenter and into the cloud, enabling additional levels of validation such as multi-factor
authentication and conditional access policies. Monitoring suspicious activity through advanced security reporting,
auditing and alerting helps mitigate potential security issues. Azure Active Directory Premium provides single
sign-on to thousands of cloud (SaaS ) apps and access to web apps you run on-premises.
Security benefits of Azure Active Directory (Azure AD ) include the ability to:
Create and manage a single identity for each user across your hybrid enterprise, keeping users, groups, and
devices in sync.
Provide single sign-on access to your applications including thousands of pre-integrated SaaS apps.
Enable application access security by enforcing rules-based Multi-Factor Authentication for both on-
 premises and cloud applications.
Provision secure remote access to on-premises web applications through Azure AD Application Proxy.
The Azure Active Directory portal is available a part of the Azure portal. From this dashboard, you can get an
overview of the state of your organization, and easily dive into managing the directory, users, or application access.

The following are core Azure Identity management capabilities:

Single sign-on
Multi-factor authentication
Security monitoring, alerts, and machine learning-based reports
Consumer identity and access management
Device registration
Privileged identity management
Identity protection
Single sign-on
Single sign-on (SSO ) means being able to access all the applications and resources that you need to do business,
by signing in only once using a single user account. Once signed in, you can access all the applications you need
without being required to authenticate (for example, type a password) a second time.
Many organizations rely upon software as a service (SaaS ) applications such as Office 365, Box and Salesforce for
end-user productivity. Historically, IT staff needed to individually create and update user accounts in each SaaS
application, and users had to remember a password for each SaaS application.
Azure AD extends on-premises Active Directory into the cloud, enabling users to use their primary organizational
account to not only sign in to their domain-joined devices and company resources, but also all the web and SaaS
applications needed for their job.
Not only do users not have to manage multiple sets of usernames and passwords, application access can be
automatically provisioned or de-provisioned based on organizational groups and their status as an employee.
Azure AD introduces security and access governance controls that enable you to centrally manage users' access
across SaaS applications.
Multi-factor authentication
Azure Multi-factor Authentication (MFA) is a method of authentication that requires the use of more than one
verification method and adds a critical second layer of security to user sign-ins and transactions. MFA helps
safeguard access to data and applications while meeting user demand for a simple sign-in process. It delivers
strong authentication via a range of verification options—phone call, text message, or mobile app notification or
verification code and third-party OAuth tokens.
Security monitoring, alerts, and machine learning-based reports
Security monitoring and alerts and machine learning-based reports that identify inconsistent access patterns can
help you protect your business. You can use Azure Active Directory's access and usage reports to gain visibility into
the integrity and security of your organization’s directory. With this information, a directory admin can better
determine where possible security risks may lie so that they can adequately plan to mitigate those risks.
In the Azure portal or through the Azure Active Directory portal, reports are categorized in the following ways:
Anomaly reports – contain sign in events that we found to be anomalous. Our goal is to make you aware of
such activity and enable you to be able to decide about whether an event is suspicious.
Integrated Application reports – provide insights into how cloud applications are being used in your
organization. Azure Active Directory offers integration with thousands of cloud applications.
Error reports – indicate errors that may occur when provisioning accounts to external applications.
User-specific reports – display device/sign in activity data for a specific user.
Activity logs – contain a record of all audited events within the last 24 hours, last 7 days, or last 30 days, and
group activity changes, and password reset and registration activity.
Consumer identity and access management
Azure Active Directory B2C is a highly available, global, identity management service for consumer-facing
applications that scales to hundreds of millions of identities. It can be integrated across mobile and web platforms.
Your consumers can log on to all your applications through customizable experiences by using their existing social
accounts or by creating new credentials.
In the past, application developers who wanted to sign up and sign in consumers into their applications would have
written their own code. And they would have used on-premises databases or systems to store usernames and
passwords. Azure Active Directory B2C offers your organization a better way to integrate consumer identity
management into applications with the help of a secure, standards-based platform, and a large set of extensible
policies.
When you use Azure Active Directory B2C, your consumers can sign up for your applications by using their
existing social accounts (Facebook, Google, Amazon, LinkedIn) or by creating new credentials (email address and
password, or username and password).
Device registration
Azure AD device registration is the foundation for device-based conditional access scenarios. When a device is
registered, Azure AD device registration provides the device with an identity that is used to authenticate the device
when the user signs in. The authenticated device, and the attributes of the device, can then be used to enforce
conditional access policies for applications that are hosted in the cloud and on-premises.
When combined with a mobile device management (MDM ) solution such as Intune, the device attributes in Azure
Active Directory are updated with additional information about the device. This allows you to create conditional
access rules that enforce access from devices to meet your standards for security and compliance.
Privileged identity management
Azure Active Directory (AD ) Privileged Identity Management lets you manage, control, and monitor your
privileged identities and access to resources in Azure AD as well as other Microsoft online services like Office 365
or Microsoft Intune.
Sometimes users need to carry out privileged operations in Azure or Office 365 resources, or other SaaS apps.
This often means organizations have to give them permanent privileged access in Azure AD. This is a growing
security risk for cloud-hosted resources because organizations can't sufficiently monitor what those users are
doing with their admin privileges. Additionally, if a user account with privileged access is compromised, that one
breach could impact their overall cloud security. Azure AD Privileged Identity Management helps to resolve this
risk.
Azure AD Privileged Identity Management lets you:
See which users are Azure AD admins
Enable on-demand, "just in time" administrative access to Microsoft Online Services like Office 365 and
Intune
Get reports about administrator access history and changes in administrator assignments
Get alerts about access to a privileged role
Identity protection
Azure AD Identity Protection is a security service that provides a consolidated view into risk events and potential
vulnerabilities affecting your organization’s identities. Identity Protection uses existing Azure Active Directory’s
anomaly detection capabilities (available through Azure AD’s Anomalous Activity Reports), and introduces new
risk event types that can detect anomalies in real-time.

Secured resource access in Azure

Access control in Azure starts from a billing perspective. The owner of an Azure account, accessed by visiting the
Azure Account Center, is the Account Administrator (AA). Subscriptions are a container for billing, but they also act
as a security boundary: each subscription has a Service Administrator (SA) who can add, remove, and modify
Azure resources in that subscription by using the Azure portal. The default SA of a new subscription is the AA, but
the AA can change the SA in the Azure Account Center.

Subscriptions also have an association with a directory. The directory defines a set of users. These can be users
from the work or school that created the directory, or they can be external users (that is, Microsoft Accounts).
Subscriptions are accessible by a subset of those directory users who have been assigned as either Service
Administrator (SA) or Co-Administrator (CA); the only exception is that, for legacy reasons, Microsoft Accounts
(formerly Windows Live ID ) can be assigned as SA or CA without being present in the directory.
Security-oriented companies should focus on giving employees the exact permissions they need. Too many
permissions can expose an account to attackers. Too few permissions mean that employees can't get their work
done efficiently. Azure Role-Based Access Control (RBAC ) helps address this problem by offering fine-grained
access management for Azure.

Using RBAC, you can segregate duties within your team and grant only the amount of access to users that they
need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or
resources, you can allow only certain actions. For example, use RBAC to let one employee manage virtual
machines in a subscription, while another can manage SQL databases within the same subscription.

Azure data security and encryption (protect)

One of the keys to data protection in the cloud is accounting for the possible states in which your data may occur,
and what controls are available for that state. For Azure data security and encryption best practices the
recommendations be around the following data’s states.
At-rest: This includes all information storage objects, containers, and types that exist statically on physical
media, be it magnetic or optical disk.
In-Transit: When data is being transferred between components, locations or programs, such as over the
network, across a service bus (from on-premises to cloud and vice-versa, including hybrid connections such
 as ExpressRoute), or during an input/output process, it is thought of as being in-motion.
Encryption at rest
To achieve encryption at rest, do each of the following:
Support at least one of the recommended encryption models detailed in the following table to encrypt data.

ENCRYPTION MODELS

Server Encryption Server Encryption Server Encryption Client Encryption

Server-Side Encryption using Server-side encryption using Server-side encryption using

Service Managed Keys Customer-Managed Keys in on-prem customer managed
Azure Key Vault keys

• Azure Resource Providers • Azure Resource Providers • Azure Resource Providers • Azure services cannot see
perform the encryption and perform the encryption and perform the encryption and decrypted data
decryption operations decryption operations decryption operations • Customers keep keys on-
• Microsoft manages the • Customer controls keys via • Customer controls keys premises (or in other secure
keys Azure Key Vault On-Prem stores). Keys are not
• Full cloud functionality • Full cloud functionality • Full cloud functionality available to Azure services
• Reduced cloud functionality

Enabling encryption at rest

Identify All Locations Your Stores Data
The goal of Encryption at Rest is to encrypt all data. Doing so eliminates the possibility of missing important data
or all persisted locations. Enumerate all data stored by your application.

NOTE
Not just "application data" or "PII' but any data relating to application including account metadata (subscription mappings,
contract info, PII).

Consider what stores you are using to store data. For example:
External storage (for example, SQL Azure, Document DB, HDInsights, Data Lake, etc.)
Temporary storage (any local cache that includes tenant data)
In-memory cache (could be put into the page file.)
Leverage the existing encryption at rest support in Azure
For each store you use, leverage the existing Encryption at Rest support.
Azure Storage: See Azure Storage Service Encryption for Data at Rest,
SQL Azure: See Transparent Data Encryption (TDE ), SQL Always Encrypted
VM & Local disk storage (Azure Disk Encryption)
For VM and Local disk storage use Azure Disk Encryption where supported:
IaaS
Services with IaaS VMs (Windows or Linux) should use Azure Disk Encryption to encrypt volumes containing
customer data.
PaaS v2
Services running on PaaS v2 using Service Fabric can use Azure disk encryption for Virtual Machine Scale Set
[VMSS ] to encrypt their PaaS v2 VMs.
PaaS v1
Azure Disk Encryption currently is not supported on PaaS v1. Therefore, you must use application level encryption
to encrypt persisted data at rest. This includes, but is not limited to, application data, temporary files, logs, and
crash dumps.
Most services should attempt to leverage the encryption of a storage resource provider. Some services have to do
explicit encryption, for example, any persisted key material (Certificates, root / master keys) must be stored in Key
Vault.
If you support service-side encryption with customer-managed keys there needs to be a way for the customer to
get the key to us. The supported and recommended way to do that by integrating with Azure Key Vault (AKV ). In
this case customers can add and manage their keys in Azure Key Vault. A customer can learn how to use AKV via
Getting Started with Key Vault.
To integrate with Azure Key Vault, you'd add code to request a key from AKV when needed for decryption.
See Azure Key Vault – Step by Step for info on how to integrate with AKV.
If you support customer managed keys, you need to provide a UX for the customer to specify which Key Vault (or
Key Vault URI) to use.
As Encryption at Rest involves the encryption of host, infrastructure and tenant data, the loss of the keys due to
system failure or malicious activity could mean all the encrypted data is lost. It is therefore critical that your
Encryption at Rest solution has a comprehensive disaster recovery story resilient to system failures and malicious
activity.
Services that implement Encryption at Rest are usually still susceptible to the encryption keys or data being left
unencrypted on the host drive (for example, in the page file of the host OS.) Therefore, services must ensure the
host volume for their services is encrypted. To facilitate this Compute team has enabled the deployment of Host
Encryption, which uses BitLocker NKP and extensions to the DCM service and agent to encrypt the host volume.
Most services are implemented on standard Azure VMs. Such services should get Host Encryption automatically
when Compute enables it. For services running in Compute managed clusters host encryption is enabled
automatically as Windows Server 2016 is rolled out.
Encryption in-transit
Protecting data in transit should be essential part of your data protection strategy. Since data is moving back and
forth from many locations, the general recommendation is that you always use SSL/TLS protocols to exchange
data across different locations. In some circumstances, you may want to isolate the entire communication channel
between your on-premises and cloud infrastructure by using a virtual private network (VPN ).
For data moving between your on-premises infrastructure and Azure, you should consider appropriate safeguards
such as HTTPS or VPN.
For organizations that need to secure access from multiple workstations located on-premises to Azure, use Azure
site-to-site VPN.
For organizations that need to secure access from one workstation located on-premises to Azure, use Point-to-Site
VPN.
Larger data sets can be moved over a dedicated high-speed WAN link such as ExpressRoute. If you choose to use
ExpressRoute, you can also encrypt the data at the application-level using SSL/TLS or other protocols for added
protection.
If you are interacting with Azure Storage through the Azure Portal, all transactions occur via HTTPS. Storage REST
API over HTTPS can also be used to interact with Azure Storage and Azure SQL Database.
Organizations that fail to protect data in transit are more susceptible for man-in-the-middle attacks,
eavesdropping, and session hijacking. These attacks can be the first step in gaining access to confidential data.
You can learn more about Azure VPN option by reading the article Planning and design for VPN Gateway.
Enforce file level data encryption
Azure RMS uses encryption, identity, and authorization policies to help secure your files and email. Azure RMS
works across multiple devices — phones, tablets, and PCs by protecting both within your organization and outside
your organization. This capability is possible because Azure RMS adds a level of protection that remains with the
data, even when it leaves your organization’s boundaries.
When you use Azure RMS to protect your files, you are using industry-standard cryptography with full support of
FIPS 140-2. When you leverage Azure RMS for data protection, you have the assurance that the protection stays
with the file, even if it is copied to storage that is not under the control of IT, such as a cloud storage service. The
same occurs for files shared via e-mail, the file is protected as an attachment to an email message, with instructions
how to open the protected attachment. When planning for Azure RMS adoption we recommend the following:
Install the RMS sharing app. This app integrates with Office applications by installing an Office add-in so
that users can easily protect files directly.
Configure applications and services to support Azure RMS
Create custom templates that reflect your business requirements. For example: a template for top secret
data that should be applied in all top secret related emails.
Organizations that are weak on data classification and file protection may be more susceptible to data leakage.
Without proper file protection, organizations won’t be able to obtain business insights, monitor for abuse and
prevent malicious access to files.

NOTE
You can learn more about Azure RMS by reading the article Getting Started with Azure Rights Management.

Secure your application (protect)

While Azure is responsible for securing the infrastructure and platform that your application runs on, it is your
responsibility to secure your application itself. In other words, you need to develop, deploy, and manage your
application code and content in a secure way. Without this, your application code or content can still be vulnerable
to threats.
Web application firewall (WAF )
Web application firewall (WAF ) is a feature of Application Gateway that provides centralized protection of your
web applications from common exploits and vulnerabilities.
Web application firewall is based on rules from the OWASP core rule sets 3.0 or 2.2.9. Web applications are
increasingly targets of malicious attacks that exploit common known vulnerabilities. Common among these
exploits are SQL injection attacks, cross site scripting attacks to name a few. Preventing such attacks in application
code can be challenging and may require rigorous maintenance, patching and monitoring at multiple layers of the
application topology. A centralized web application firewall helps make security management much simpler and
gives better assurance to application administrators against threats or intrusions. A WAF solution can also react to
a security threat faster by patching a known vulnerability at a central location versus securing each of individual
web applications. Existing application gateways can be converted to a web application firewall enabled application
gateway easily.
Some of the common web vulnerabilities which web application firewall protects against includes:
 SQL injection protection
Cross site scripting protection
Common Web Attacks Protection such as command injection, HTTP request smuggling, HTTP response
splitting, and remote file inclusion attack
Protection against HTTP protocol violations
Protection against HTTP protocol anomalies such as missing host user-agent and accept headers
Prevention against bots, crawlers, and scanners
Detection of common application misconfigurations (that is, Apache, IIS, etc.)

NOTE
For a more detailed list of rules and their protections see the following Core rule sets:

Azure also provides several easy-to-use features to help secure both inbound and outbound traffic for your app.
Azure also helps customers secure their application code by providing externally provided functionality to scan
your web application for vulnerabilities.
Setup Azure Active Directory authentication for your app
Secure traffic to your app by enabling Transport Layer Security (TLS/SSL ) - HTTPS
Force all incoming traffic over HTTPS connection
Enable Strict Transport Security (HSTS )
Restrict access to your app by client's IP address
Restrict access to your app by client's behavior - request frequency and concurrency
Scan your web app code for vulnerabilities using Tinfoil Security Scanning
Configure TLS mutual authentication to require client certificates to connect to your web app
Configure a client certificate for use from your app to securely connect to external resources
Remove standard server headers to avoid tools from fingerprinting your app
Securely connect your app with resources in a private network using Point-To-Site VPN
Securely connect your app with resources in a private network using Hybrid Connections
Azure App Service uses the same Antimalware solution used by Azure Cloud Services and Virtual Machines. To
learn more about this refer to our Antimalware documentation.

Secure your network (protect)

Microsoft Azure includes a robust networking infrastructure to support your application and service connectivity
requirements. Network connectivity is possible between resources located in Azure, between on-premises and
Azure hosted resources, and to and from the Internet and Azure.
The Azure network infrastructure enables you to securely connect Azure resources to each other with virtual
networks (VNets). A VNet is a representation of your own network in the cloud. A VNet is a logical isolation of the
Azure cloud network dedicated to your subscription. You can connect VNets to your on-premises networks.
If you need basic network level access control (based on IP address and the TCP or UDP protocols), then you can
use Network Security Groups. A Network Security Group (NSG ) is a basic stateful packet filtering firewall and it
enables you to control access based on a 5-tuple.
Azure networking supports the ability to customize the routing behavior for network traffic on your Azure Virtual
Networks. You can do this by configuring User-Defined Routes in Azure.
Forced tunneling is a mechanism you can use to ensure that your services are not allowed to initiate a connection
to devices on the Internet.
Azure supports dedicated WAN link connectivity to your on-premises network and an Azure Virtual Network with
ExpressRoute. The link between Azure and your site uses a dedicated connection that does not go over the public
Internet. If your Azure application is running in multiple datacenters, you can use Azure Traffic Manager to route
requests from users intelligently across instances of the application. You can also route traffic to services not
running in Azure if they are accessible from the Internet.

Virtual machine security (protect)

Azure Virtual Machines lets you deploy a wide range of computing solutions in an agile way. With support for
Microsoft Windows, Linux, Microsoft SQL Server, Oracle, IBM, SAP, and Azure BizTalk Services, you can deploy
any workload and any language on nearly any operating system.
With Azure, you can use antimalware software from security vendors such as Microsoft, Symantec, Trend Micro,
and Kaspersky to protect your virtual machines from malicious files, adware, and other threats.
Microsoft Antimalware for Azure Cloud Services and Virtual Machines is a real-time protection capability that
helps identify and remove viruses, spyware, and other malicious software. Microsoft Antimalware provides
configurable alerts when known malicious or unwanted software attempts to install itself or run on your Azure
systems.
Azure Backup is a scalable solution that protects your application data with zero capital investment and minimal
operating costs. Application errors can corrupt your data, and human errors can introduce bugs into your
applications. With Azure Backup, your virtual machines running Windows and Linux are protected.
Azure Site Recovery helps orchestrate replication, failover, and recovery of workloads and apps so that they are
available from a secondary location if your primary location goes down.

Ensure compliance: Cloud services due diligence checklist (protect)

Microsoft developed the Cloud Services Due Diligence Checklist to help organizations exercise due diligence as
they consider a move to the cloud. It provides a structure for an organization of any size and type—private
businesses and public-sector organizations, including government at all levels and nonprofits—to identify their
own performance, service, data management, and governance objectives and requirements. This allows them to
compare the offerings of different cloud service providers, ultimately forming the basis for a cloud service
agreement.
The checklist provides a framework that aligns clause-by-clause with a new international standard for cloud service
agreements, ISO/IEC 19086. This standard offers a unified set of considerations for organizations to help them
make decisions about cloud adoption, and create a common ground for comparing cloud service offerings.
The checklist promotes a thoroughly vetted move to the cloud, providing structured guidance and a consistent,
repeatable approach for choosing a cloud service provider.
Cloud adoption is no longer simply a technology decision. Because checklist requirements touch on every aspect of
an organization, they serve to convene all key internal decision-makers—the CIO and CISO as well as legal, risk
management, procurement, and compliance professionals. This increases the efficiency of the decision-making
process and ground decisions in sound reasoning, thereby reducing the likelihood of unforeseen roadblocks to
adoption.
In addition, the checklist:
Exposes key discussion topics for decision-makers at the beginning of the cloud adoption process.
Supports thorough business discussions about regulations and the organization’s own objectives for
privacy, personally identifiable information (PII), and data security.
Helps organizations identify any potential issues that could affect a cloud project.
Provides a consistent set of questions, with the same terms, definitions, metrics, and deliverables for each
provider, to simplify the process of comparing offerings from different cloud service providers.

Azure infrastructure and application security validation (detect)

Azure Operational Security refers to the services, controls, and features available to users for protecting their data,
applications, and other assets in Microsoft Azure.

Azure Operational Security is built on a framework that incorporates the knowledge gained through a various
capabilities that are unique to Microsoft, including the Microsoft Security Development Lifecycle (SDL ), the
Microsoft Security Response Centre program, and deep awareness of the cybersecurity threat landscape.
Microsoft Azure Log Analytics
Log Analytics is the IT management solution for the hybrid cloud. Used alone or to extend your existing System
Center deployment, Log Analytics gives you the maximum flexibility and control for cloud-based management of
your infrastructure.

With Log Analytics, you can manage any instance in any cloud, including on-premises, Azure, AWS, Windows
Server, Linux, VMware, and OpenStack, at a lower cost than competitive solutions. Built for the cloud-first world,
Log Analytics offers a new approach to managing your enterprise that is the fastest, most cost-effective way to
meet new business challenges and accommodate new workloads, applications and cloud environments.
Log analytics
Log Analytics provides monitoring services by collecting data from managed resources into a central repository.
This data could include events, performance data, or custom data provided through the API. Once collected, the
data is available for alerting, analysis, and export.

This method allows you to consolidate data from a variety of sources, so you can combine data from your Azure
services with your existing on-premises environment. It also clearly separates the collection of the data from the
action taken on that data so that all actions are available to all kinds of data.
Azure Security Center
Azure Security Center helps you prevent, detect, and respond to threats with increased visibility into and control
over the security of your Azure resources. It provides integrated security monitoring and policy management
across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad
ecosystem of security solutions.
Security Center analyzes the security state of your Azure resources to identify potential security vulnerabilities. A
list of recommendations guides you through the process of configuring needed controls.
Examples include:
 Provisioning antimalware to help identify and remove malicious software
Configuring network security groups and rules to control traffic to VMs
Provisioning of web application firewalls to help defend against attacks that target your web applications
Deploying missing system updates
Addressing OS configurations that do not match the recommended baselines
Security Center automatically collects, analyzes, and integrates log data from your Azure resources, the network,
and partner solutions like antimalware programs and firewalls. When threats are detected, a security alert is
created. Examples include detection of:
Compromised VMs communicating with known malicious IP addresses
Advanced malware detected by using Windows error reporting
Brute force attacks against VMs
Security alerts from integrated antimalware programs and firewalls
Azure monitor
Azure Monitor provides pointers to information on specific types of resources. It offers visualization, query,
routing, alerting, auto scale, and automation on data both from the Azure infrastructure (Activity Log) and each
individual Azure resource (Diagnostic Logs).
Cloud applications are complex with many moving parts. Monitoring provides data to ensure that your application
stays up and running in a healthy state. It also helps you to stave off potential problems or troubleshoot past ones.

In addition,
you can use monitoring data to gain deep insights about your application. That knowledge can help you to improve
application performance or maintainability, or automate actions that would otherwise require manual intervention.
Auditing your network security is vital for detecting network vulnerabilities and ensuring compliance with your IT
security and regulatory governance model. With Security Group view, you can retrieve the configured Network
Security Group and security rules, as well as the effective security rules. With the list of rules applied, you can
determine the ports that are open and ss network vulnerability.
Network watcher
Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network level in,
to, and from Azure. Network diagnostic and visualization tools available with Network Watcher help you
understand, diagnose, and gain insights to your network in Azure. This service includes packet capture, next hop, IP
flow verify, security group view, NSG flow logs. Scenario level monitoring provides an end to end view of network
resources in contrast to individual network resource monitoring.
Storage analytics
Storage Analytics can store metrics that include aggregated transaction statistics and capacity data about requests
to a storage service. Transactions are reported at both the API operation level as well as at the storage service level,
and capacity is reported at the storage service level. Metrics data can be used to analyze storage service usage,
diagnose issues with requests made against the storage service, and to improve the performance of applications
that use a service.
Application Insights
Application Insights is an extensible Application Performance Management (APM ) service for web developers on
multiple platforms. Use it to monitor your live web application. It will automatically detect performance anomalies.
It includes powerful analytics tools to help you diagnose issues and to understand what users do with your app. It's
designed to help you continuously improve performance and usability. It works for apps on a wide variety of
platforms including .NET, Node.js and J2EE, hosted on-premises or in the cloud. It integrates with your devOps
process, and has connection points to a various development tools.
It monitors:
Request rates, response times, and failure rates - Find out which pages are most popular, at what times
of day, and where your users are. See which pages perform best. If your response times and failure rates go
high when there are more requests, then perhaps you have a resourcing problem.
Dependency rates, response times, and failure rates - Find out whether external services are slowing
you down.
Exceptions - Analyze the aggregated statistics, or pick specific instances and drill into the stack trace and
related requests. Both server and browser exceptions are reported.
Page views and load performance - reported by your users' browsers.
AJAX calls from web pages - rates, response times, and failure rates.
User and session counts.
Performance counters from your Windows or Linux server machines, such as CPU, memory, and network
usage.
Host diagnostics from Docker or Azure.
Diagnostic trace logs from your app - so that you can correlate trace events with requests.
Custom events and metrics that you write yourself in the client or server code, to track business events
such as items sold, or games won.
The infrastructure for your application is typically made up of many components – maybe a virtual machine,
storage account, and virtual network, or a web app, database, database server, and 3rd party services. You do not
see these components as separate entities, instead you see them as related and interdependent parts of a single
entity. You want to deploy, manage, and monitor them as a group. Azure Resource Manager enables you to work
with the resources in your solution as a group.
You can deploy, update, or delete all the resources for your solution in a single, coordinated operation. You use a
template for deployment and that template can work for different environments such as testing, staging, and
production. Resource Manager provides security, auditing, and tagging features to help you manage your
resources after deployment.
The benefits of using Resource Manager
Resource Manager provides several benefits:
You can deploy, manage, and monitor all the resources for your solution as a group, rather than handling
these resources individually.
You can repeatedly deploy your solution throughout the development lifecycle and have confidence your
resources are deployed in a consistent state.
You can manage your infrastructure through declarative templates rather than scripts.
You can define the dependencies between resources, so they are deployed in the correct order.
You can apply access control to all services in your resource group because Role-Based Access Control
(RBAC ) is natively integrated into the management platform.
You can apply tags to resources to logically organize all the resources in your subscription.
You can clarify your organization's billing by viewing costs for a group of resources sharing the same tag.

NOTE
Resource Manager provides a new way to deploy and manage your solutions. If you used the earlier deployment model and
want to learn about the changes, see Understanding Resource Manager Deployment and classic deployment.

Next steps
Find out more about security by reading some of our in-depth security topics:
Auditing and logging
Cybercrime
Design and operational security
Encryption
Identity and access management
Network security
Threat management
 Develop secure applications on Azure
11/16/2018 • 2 minutes to read • Edit Online

Abstract
This paper is a general guide to the security questions and controls you should consider at each phase of the
software development lifecycle when developing applications for the cloud. Implementing these concepts before
you release your product can help you build more secure software. The recommendations presented in this paper
come from our experience with Azure security and the experiences of our customers.
This paper is intended to be a resource for software designers, developers, and testers at all levels who build and
deploy secure Azure solutions.
Download the white paper
 Azure encryption overview
9/24/2018 • 11 minutes to read • Edit Online

This article provides an overview of how encryption is used in Microsoft Azure. It covers the major areas of
encryption, including encryption at rest, encryption in flight, and key management with Azure Key Vault. Each
section includes links to more detailed information.

Encryption of data at rest

Data at rest includes information that resides in persistent storage on physical media, in any digital format. The
media can include files on magnetic or optical media, archived data, and data backups. Microsoft Azure offers a
variety of data storage solutions to meet different needs, including file, disk, blob, and table storage. Microsoft also
provides encryption to protect Azure SQL Database, Azure Cosmos DB, and Azure Data Lake.
Data encryption at rest is available for services across the software as a service (SaaS ), platform as a service
(PaaS ), and infrastructure as a service (IaaS ) cloud models. This article summarizes and provides resources to help
you use the Azure encryption options.
For a more detailed discussion of how data at rest is encrypted in Azure, see Azure Data Encryption-at-Rest.

Azure encryption models

Azure supports various encryption models, including server-side encryption that uses service-managed keys,
customer-managed keys in Key Vault, or customer-managed keys on customer-controlled hardware. With client-
side encryption, you can manage and store keys on-premises or in another secure location.
Client-side encryption
Client-side encryption is performed outside of Azure. It includes:
Data encrypted by an application that’s running in the customer’s datacenter or by a service application.
Data that is already encrypted when it is received by Azure.
With client-side encryption, cloud service providers don’t have access to the encryption keys and cannot decrypt
this data. You maintain complete control of the keys.
Server-side encryption
The three server-side encryption models offer different key management characteristics, which you can choose
according to your requirements:
Service-managed keys: Provides a combination of control and convenience with low overhead.
Customer-managed keys: Gives you control over the keys, including Bring Your Own Keys (BYOK)
support, or allows you to generate new ones.
Service-managed keys in customer-controlled hardware: Enables you to manage keys in your
proprietary repository, outside of Microsoft control. This characteristic is called Host Your Own Key (HYOK).
However, configuration is complex, and most Azure services don’t support this model.
Azure disk encryption
You can protect Windows and Linux virtual machines by using Azure disk encryption, which uses Windows
BitLocker technology and Linux DM -Crypt to protect both operating system disks and data disks with full volume
encryption.
Encryption keys and secrets are safeguarded in your Azure Key Vault subscription. By using the Azure Backup
service, you can back up and restore encrypted virtual machines (VMs) that use Key Encryption Key (KEK)
configuration.
Azure Storage Service Encryption
Data at rest in Azure Blob storage and Azure file shares can be encrypted in both server-side and client-side
scenarios.
Azure Storage Service Encryption (SSE ) can automatically encrypt data before it is stored, and it automatically
decrypts the data when you retrieve it. The process is completely transparent to users. Storage Service Encryption
uses 256-bit Advanced Encryption Standard (AES ) encryption, which is one of the strongest block ciphers
available. AES handles encryption, decryption, and key management transparently.
Client-side encryption of Azure blobs
You can perform client-side encryption of Azure blobs in various ways.
You can use the Azure Storage Client Library for .NET NuGet package to encrypt data within your client
applications prior to uploading it to your Azure storage.
To learn more about and download the Azure Storage Client Library for .NET NuGet package, see Windows Azure
Storage 8.3.0.
When you use client-side encryption with Key Vault, your data is encrypted using a one-time symmetric Content
Encryption Key (CEK) that is generated by the Azure Storage client SDK. The CEK is encrypted using a Key
Encryption Key (KEK), which can be either a symmetric key or an asymmetric key pair. You can manage it locally or
store it in Key Vault. The encrypted data is then uploaded to Azure Storage.
To learn more about client-side encryption with Key Vault and get started with how -to instructions, see Tutorial:
Encrypt and decrypt blobs in Azure Storage by using Key Vault.
Finally, you can also use the Azure Storage Client Library for Java to perform client-side encryption before you
upload data to Azure Storage, and to decrypt the data when you download it to the client. This library also
supports integration with Key Vault for storage account key management.
Encryption of data at rest with Azure SQL Database
Azure SQL Database is a general-purpose relational database service in Azure that supports structures such as
relational data, JSON, spatial, and XML. SQL Database supports both server-side encryption via the Transparent
Data Encryption (TDE ) feature and client-side encryption via the Always Encrypted feature.
Transparent Data Encryption
TDE is used to encrypt SQL Server, Azure SQL Database, and Azure SQL Data Warehouse data files in real time,
using a Database Encryption Key (DEK), which is stored in the database boot record for availability during recovery.
TDE protects data and log files, using AES and Triple Data Encryption Standard (3DES ) encryption algorithms.
Encryption of the database file is performed at the page level. The pages in an encrypted database are encrypted
before they are written to disk and are decrypted when they’re read into memory. TDE is now enabled by default
on newly created Azure SQL databases.
Always Encrypted feature
With the Always Encrypted feature in Azure SQL you can encrypt data within client applications prior to storing it
in Azure SQL Database. You can also enable delegation of on-premises database administration to third parties
and maintain separation between those who own and can view the data and those who manage it but should not
have access to it.
Cell-level or column-level encryption
With Azure SQL Database, you can apply symmetric encryption to a column of data by using Transact-SQL. This
approach is called cell-level encryption or column-level encryption (CLE ) , because you can use it to encrypt specific
columns or even specific cells of data with different encryption keys. Doing so gives you more granular encryption
capability than TDE, which encrypts data in pages.
CLE has built-in functions that you can use to encrypt data by using either symmetric or asymmetric keys, the
public key of a certificate, or a passphrase using 3DES.
Cosmos DB database encryption
Azure Cosmos DB is Microsoft's globally distributed, multi-model database. User data that's stored in Cosmos DB
in non-volatile storage (solid-state drives) is encrypted by default. There are no controls to turn it on or off.
Encryption at rest is implemented by using a number of security technologies, including secure key storage
systems, encrypted networks, and cryptographic APIs. Encryption keys are managed by Microsoft and are rotated
per Microsoft internal guidelines.
At-rest encryption in Data Lake
Azure Data Lake is an enterprise-wide repository of every type of data collected in a single place prior to any
formal definition of requirements or schema. Data Lake Store supports "on by default," transparent encryption of
data at rest, which is set up during the creation of your account. By default, Azure Data Lake Store manages the
keys for you, but you have the option to manage them yourself.
Three types of keys are used in encrypting and decrypting data: the Master Encryption Key (MEK), Data Encryption
Key (DEK), and Block Encryption Key (BEK). The MEK is used to encrypt the DEK, which is stored on persistent
media, and the BEK is derived from the DEK and the data block. If you are managing your own keys, you can rotate
the MEK.

Encryption of data in transit

Azure offers many mechanisms for keeping data private as it moves from one location to another.
TLS/SSL encryption in Azure
Microsoft uses the Transport Layer Security (TLS ) protocol to protect data when it’s traveling between the cloud
services and customers. Microsoft datacenters negotiate a TLS connection with client systems that connect to
Azure services. TLS provides strong authentication, message privacy, and integrity (enabling detection of message
tampering, interception, and forgery), interoperability, algorithm flexibility, and ease of deployment and use.
Perfect Forward Secrecy (PFS ) protects connections between customers’ client systems and Microsoft cloud
services by unique keys. Connections also use RSA-based 2,048-bit encryption key lengths. This combination
makes it difficult for someone to intercept and access data that is in transit.
Azure Storage transactions
When you interact with Azure Storage through the Azure portal, all transactions take place over HTTPS. You can
also use the Storage REST API over HTTPS to interact with Azure Storage. You can enforce the use of HTTPS
when you call the REST APIs to access objects in storage accounts by enabling the secure transfer that's required
for the storage account.
Shared Access Signatures (SAS ), which can be used to delegate access to Azure Storage objects, include an option
to specify that only the HTTPS protocol can be used when you use Shared Access Signatures. This approach
ensures that anybody who sends links with SAS tokens uses the proper protocol.
SMB 3.0, which used to access Azure Files shares, supports encryption, and it's available in Windows Server 2012
R2, Windows 8, Windows 8.1, and Windows 10. It allows cross-region access and even access on the desktop.
Client-side encryption encrypts the data before it’s sent to your Azure Storage instance, so that it’s encrypted as it
travels across the network.
SMB encryption over Azure virtual networks
By using SMB 3.0 in VMs that are running Windows Server 2012 or later, you can make data transfers secure by
encrypting data in transit over Azure Virtual Networks. By encrypting data, you help protect against tampering and
eavesdropping attacks. Administrators can enable SMB encryption for the entire server, or just specific shares.
By default, after SMB encryption is turned on for a share or server, only SMB 3.0 clients are allowed to access the
encrypted shares.

In-transit encryption in VMs

Data in transit to, from, and between VMs that are running Windows is encrypted in a number of ways, depending
on the nature of the connection.
RDP sessions
You can connect and sign in to a VM by using the Remote Desktop Protocol (RDP ) from a Windows client
computer, or from a Mac with an RDP client installed. Data in transit over the network in RDP sessions can be
protected by TLS.
You can also use Remote Desktop to connect to a Linux VM in Azure.
Secure access to Linux VMs with SSH
For remote management, you can use Secure Shell (SSH) to connect to Linux VMs running in Azure. SSH is an
encrypted connection protocol that allows secure sign-ins over unsecured connections. It is the default connection
protocol for Linux VMs hosted in Azure. By using SSH keys for authentication, you eliminate the need for
passwords to sign in. SSH uses a public/private key pair (asymmetric encryption) for authentication.

Azure VPN encryption

You can connect to Azure through a virtual private network that creates a secure tunnel to protect the privacy of
the data being sent across the network.
Azure VPN gateways
You can use an Azure VPN gateway to send encrypted traffic between your virtual network and your on-premises
location across a public connection, or to send traffic between virtual networks.
Site-to-site VPNs use IPsec for transport encryption. Azure VPN gateways use a set of default proposals. You can
configure Azure VPN gateways to use a custom IPsec/IKE policy with specific cryptographic algorithms and key
strengths, rather than the Azure default policy sets.
Point-to -site VPNs
Point-to-site VPNs allow individual client computers access to an Azure virtual network. The Secure Socket
Tunneling Protocol (SSTP ) is used to create the VPN tunnel. It can traverse firewalls (the tunnel appears as an
HTTPS connection). You can use your own internal public key infrastructure (PKI) root certificate authority (CA) for
point-to-site connectivity.
You can configure a point-to-site VPN connection to a virtual network by using the Azure portal with certificate
authentication or PowerShell.
To learn more about point-to-site VPN connections to Azure virtual networks, see:
Configure a point-to-site connection to a virtual network by using certification authentication: Azure portal
Configure a point-to-site connection to a virtual network by using certificate authentication: PowerShell
Site -to -site VPNs
You can use a site-to-site VPN gateway connection to connect your on-premises network to an Azure virtual
network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires an on-premises VPN
device that has an external-facing public IP address assigned to it.
You can configure a site-to-site VPN connection to a virtual network by using the Azure portal, PowerShell, or
Azure CLI.
For more information, see:
Create a site-to-site connection in the Azure portal
Create a site-to-site connection in PowerShell
Create a virtual network with a site-to-site VPN connection by using CLI

In-transit encryption in Data Lake

Data in transit (also known as data in motion) is also always encrypted in Data Lake Store. In addition to
encrypting data prior to storing it in persistent media, the data is also always secured in transit by using HTTPS.
HTTPS is the only protocol that is supported for the Data Lake Store REST interfaces.
To learn more about encryption of data in transit in Data Lake, see Encryption of data in Data Lake Store.

Key management with Key Vault

Without proper protection and management of the keys, encryption is rendered useless. Key Vault is the Microsoft-
recommended solution for managing and controlling access to encryption keys used by cloud services.
Permissions to access keys can be assigned to services or to users through Azure Active Directory accounts.
Key Vault relieves organizations of the need to configure, patch, and maintain hardware security modules (HSMs)
and key management software. When you use Key Vault, you maintain control. Microsoft never sees your keys, and
applications don’t have direct access to them. You can also import or generate keys in HSMs.

Next steps
Azure security overview
Azure network security overview
Azure database security overview
Azure virtual machines security overview
Data encryption at rest
Data security and encryption best practices
 Azure database security overview
11/28/2018 • 13 minutes to read • Edit Online

Security is a top concern for managing databases, and it has always been a priority for Azure SQL Database. Azure
SQL Database supports connection security with firewall rules and connection encryption. It supports
authentication with username and password and Azure Active Directory (Azure AD ) authentication, which uses
identities managed by Azure Active Directory. Authorization uses role-based access control.
Azure SQL Database supports encryption by performing real-time encryption and decryption of databases,
associated backups, and transaction log files at rest without requiring changes to the application.
Microsoft provides additional ways to encrypt enterprise data:
Cell-level encryption is available to encrypt specific columns or even cells of data with different encryption
keys.
If you need a hardware security module or central management of your encryption key hierarchy, consider
using Azure Key Vault with SQL Server in an Azure virtual machine (VM ).
Always Encrypted (currently in preview ) makes encryption transparent to applications. It also allows clients to
encrypt sensitive data inside client applications without sharing the encryption keys with SQL Database.
Azure SQL Database Auditing enables enterprises to record events to an audit log in Azure Storage. SQL
Database Auditing also integrates with Microsoft Power BI to facilitate drill-down reports and analyses.
Azure SQL databases can be tightly secured to satisfy most regulatory or security requirements, including HIPAA,
ISO 27001/27002, and PCI DSS Level 1. A current list of security compliance certifications is available at the
Microsoft Azure Trust Center site.
This article walks through the basics of securing Microsoft Azure SQL databases for structured, tabular, and
relational data. In particular, this article will get you started with resources for protecting data, controlling access,
and proactive monitoring.

Protection of data
SQL Database helps secure your data by providing encryption:
For data in motion through Transport Layer Security (TLS ).
For data at rest through transparent data encryption.
For data in use through Always Encrypted.
For other ways to encrypt your data, consider:
Cell-level encryption to encrypt specific columns or even cells of data with different encryption keys.
Azure Key Vault with SQL Server in an Azure VM, if you need a hardware security module or central
management of your encryption key hierarchy.
Encryption in motion
A common problem for all client/server applications is the need for privacy as data moves over public and private
networks. If data moving over a network is not encrypted, there’s a chance that it can be captured and stolen by
unauthorized users. When you're dealing with database services, make sure that data is encrypted between the
database client and server. Also make sure that data is encrypted between database servers that communicate with
each other and with middle-tier applications.
One problem when you administer a network is securing data that's being sent between applications across an
untrusted network. You can use TLS/SSL to authenticate servers and clients, and then use it to encrypt messages
between the authenticated parties.
In the authentication process, a TLS/SSL client sends a message to a TLS/SSL server. The server responds with
the information that the server needs to authenticate itself. The client and server perform an additional exchange
of session keys, and the authentication dialog ends. When authentication is completed, SSL -secured
communication can begin between the server and the client through the symmetric encryption keys that are
established during the authentication process.
All connections to Azure SQL Database require encryption (TLS/SSL ) at all times while data is "in transit" to and
from the database. SQL Database uses TLS/SSL to authenticate servers and clients and then use it to encrypt
messages between the authenticated parties.
In your application's connection string, you must specify parameters to encrypt the connection and not to trust the
server certificate. (This is done for you if you copy your connection string out of the Azure portal.) Otherwise, the
connection will not verify the identity of the server and will be susceptible to "man-in-the-middle" attacks. For the
ADO.NET driver, for instance, these connection string parameters are Encrypt=True and
TrustServerCertificate=False .

Encryption at rest
You can take several precautions to help secure the database. For example, design a secure system, encrypt
confidential assets, and build a firewall around the database servers. But in a scenario where the physical media
(such as drives or backup tapes) are stolen, a malicious party can just restore or attach the database and browse
the data.
One solution is to encrypt the sensitive data in the database and protect the keys that are used to encrypt the data
with a certificate. This solution prevents anyone without the keys from using the data, but this kind of protection
must be planned.
To solve this problem, SQL Server and SQL Database support transparent data encryption. Transparent data
encryption encrypts SQL Server and SQL Database data files, known as encryption data at rest.
Transparent data encryption helps protect against the threat of malicious activity. It performs real-time encryption
and decryption of the database, associated backups, and transaction log files at rest without requiring changes to
the application.
Transparent data encryption encrypts the storage of an entire database by using a symmetric key called the
database encryption key. In SQL Database, the database encryption key is protected by a built-in server certificate.
The built-in server certificate is unique for each SQL Database server.
If a database is in a Geo-DR relationship, it's protected by a different key on each server. If two databases are
connected to the same server, they share the same built-in certificate. Microsoft automatically rotates these
certificates at least every 90 days.
For more information, see Transparent data encryption.
Encryption in use (client)
Most data breaches involve the theft of critical data such as credit card numbers or personally identifiable
information. Databases can be treasure troves of sensitive information. They can contain customers' personal data
(like national identification numbers), confidential competitive information, and intellectual property. Lost or stolen
data, especially customer data, can result in brand damage, competitive disadvantage, and serious fines--even
lawsuits.
Always Encrypted is a feature designed to protect sensitive data stored in Azure SQL Database or SQL Server
databases. Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the
encryption keys to the database engine (SQL Database or SQL Server).
Always Encrypted provides a separation between people who own the data (and can view it) and people who
manage the data (but should have no access). It helps ensure that on-premises database administrators, cloud
database operators, or other high-privileged but unauthorized users cannot access the encrypted data.
In addition, Always Encrypted makes encryption transparent to applications. An Always Encrypted-enabled driver
is installed on the client computer so that it can automatically encrypt and decrypt sensitive data in the client
application. The driver encrypts the data in sensitive columns before passing the data to the database engine. The
driver automatically rewrites queries so that the semantics to the application are preserved. Similarly, the driver
transparently decrypts data, stored in encrypted database columns, contained in query results.

Access control
To provide security, SQL Database controls access by using:
Firewall rules that limit connectivity by IP address.
Authentication mechanisms that require users to prove their identity.
Authorization mechanisms that limit users to specific actions and data.
Database access
Data protection begins with controlling access to your data. The datacenter that hosts your data manages physical
access. You can configure a firewall to manage security at the network layer. You also control access by configuring
logins for authentication and defining permissions for server and database roles.
Firewall and firewall rules
Azure SQL Database provides a relational database service for Azure and other internet-based applications. To
help protect your data, firewalls prevent all access to your database server until you specify which computers have
permission. The firewall grants access to databases based on the originating IP address of each request. For more
information, see Overview of Azure SQL Database firewall rules.
The Azure SQL Database service is available only through TCP port 1433. To access a SQL database from your
computer, ensure that your client computer firewall allows outgoing TCP communication on TCP port 1433. If
inbound connections are not needed for other applications, block them on TCP port 1433.
Authentication
Authentication refers to how you prove your identity when connecting to the database. SQL Database supports
two types of authentication:
SQL Server authentication: A single login account is created when a logical SQL instance is created, called
the SQL Database Subscriber Account. This account connects by using SQL Server authentication (username
and password). This account is an administrator on the logical server instance and on all user databases
attached to that instance. The permissions of the subscriber account cannot be restricted. Only one of these
accounts can exist.
Azure Active Directory authentication: Azure AD authentication is a mechanism of connecting to Azure
 SQL Database and Azure SQL Data Warehouse by using identities in Azure AD. You can use it to centrally
manage identities of database users.

Advantages of Azure AD authentication include:

It provides an alternative to SQL Server authentication.
It helps stop the proliferation of user identities across database servers and allows password rotation in a single
place.
You can manage database permissions by using external (Azure AD ) groups.
It can eliminate storing passwords by enabling integrated Windows authentication and other forms of
authentication that Azure AD supports.
Authorization
Authorization refers to what a user can do within an Azure SQL database. It's controlled by your user account's
database role memberships and object-level permissions. Authorization is the process of determining which
securable resources a principal can access, and which operations are allowed for those resources.
Application access
Dynamic data masking
A service representative at a call center might identify callers by several digits of their social security number or
credit card number. But those data items should not be fully exposed to the service representative.
You can define a masking rule that masks all but the last four digits of a social security number or credit card
number in the result set of any query.
As another example, an appropriate data mask can be defined to protect personally identifiable information. A
developer can then query production environments for troubleshooting purposes without violating compliance
regulations.
SQL Database dynamic data masking limits sensitive data exposure by masking it to non-privileged users.
Dynamic data masking is supported for the V12 version of Azure SQL Database.
Dynamic data masking helps prevent unauthorized access to sensitive data by enabling you to designate how
much of the sensitive data to reveal with minimal impact on the application layer. It’s a policy-based security
feature that hides the sensitive data in the result set of a query over designated database fields, while the data in
the database is not changed.

NOTE
Dynamic data masking can be configured by the Azure Database admin, server admin, or security officer roles.

Row-Level Security
Another common security requirement for multitenant databases is Row -Level Security. You can use this feature
to control access to rows in a database table based on the characteristics of the user who's executing a query.
(Example characteristics are group membership and execution context.)

The access restriction logic is located in the database tier rather than away from the data in another application tier.
The database system applies the access restrictions every time that data access is attempted from any tier. This
makes your security system more reliable and robust by reducing the surface area of your security system.
Row -Level Security introduces predicate-based access control. It features a flexible, centralized evaluation that can
take into consideration metadata or any other criteria the administrator determines as appropriate. The predicate is
used as a criterion to determine whether or not the user has the appropriate access to the data based on user
attributes. You can implement label-based access control by using predicate-based access control.

Proactive monitoring
SQL Database helps secure your data by providing auditing and threat detection capabilities.
Auditing
Azure SQL Database auditing increases your ability to gain insight into events and changes that occur within the
database. Examples are updates and queries against the data.
SQL Database auditing tracks database events and writes them to an audit log in your Azure storage account.
Auditing can help you maintain regulatory compliance, understand database activity, and gain insight into
discrepancies and anomalies that might indicate business concerns or suspected security violations. Auditing
enables and facilitates adherence to compliance standards but doesn't guarantee compliance.
You can use SQL Database auditing to:
Retain an audit trail of selected events. You can define categories of database actions to be audited.
Report on database activity. You can use pre-configured reports and a dashboard to get started quickly with
activity and event reporting.
Analyze reports. You can find suspicious events, unusual activity, and trends.
There are two auditing methods:
Blob auditing: Logs are written to Azure Blob storage. This is a newer auditing method. It provides higher
performance, supports higher granularity object-level auditing, and is more cost effective.
Table auditing: Logs are written to Azure Table storage.
Threat detection
Advanced Threat Protection for Azure SQL Database detects suspicious activities that indicate potential security
threats. You can use threat detection to respond to suspicious events in the database, such as SQL injections, as
they occur. It provides alerts and allows the use of Azure SQL Database auditing to explore the suspicious events.

SQL Advanced Threat Protection (ATP ) provides a set of advanced SQL security capabilities, including Data
Discovery & Classification, Vulnerability Assessment, and Threat Detection.
Data Discovery & Classification
Vulnerability Assessment
Threat Detection
Azure Database for PostgreSQL Advanced Threat Protection provides a new layer of security, which enables you
to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. Users
receive an alert upon suspicious database activities, and potential vulnerabilities, as well as anomalous database
access and queries patterns. Advanced Threat Protection for Azure Database for PostgreSQL integrates alerts with
Azure Security Center. Type of alerts include:
Access from unusual location
Access from unusual Azure data center
Access from unfamiliar principal
Access from a potentially harmful application
Brute force Azure database for PostgreSQL credentials
Azure Database for MySQL Advanced Threat Protection provides protection similar to PostgreSQL Advanced
Protection.

Centralized security management

Azure Security Center helps you prevent, detect, and respond to threats. It provides integrated security monitoring
and policy management across your Azure subscriptions. It helps detect threats that might otherwise go
unnoticed, and it works with a broad ecosystem of security solutions.
Security Center helps you safeguard data in SQL Database by providing visibility into the security of all your
servers and databases. With Security Center, you can:
Define policies for SQL Database encryption and auditing.
Monitor the security of SQL Database resources across all your subscriptions.
Quickly identify and remediate security issues.
Integrate alerts from Azure SQL Database threat detection.
Security Center supports role-based access.

SQL Information Protection

SQL Information Protection automatically discovers and classifies potentially sensitive data, provides a labeling
mechanism for persistently tagging sensitive data with classification attributes, and provides a detailed dashboard
showing the classification state of the database.
In addition, it calculates the result set sensitivity of SQL queries, so that queries that extract sensitive data can be
explicitly audited, and the data can be protected. For more details on SQL Information Protection, see Azure SQL
Database Data Discovery and Classification.
You can configure SQL Information Protection policies in Azure Security Center.

Azure Marketplace
The Azure Marketplace is an online applications and services marketplace that enables start-ups and independent
software vendors (ISVs) to offer their solutions to Azure customers around the world. The Azure Marketplace
combines Microsoft Azure partner ecosystems into a unified platform to better serve customers and partners. You
can run a search to view database security products available in the Azure Marketplace.

Next steps
Secure your Azure SQL database
Azure Security Center and Azure SQL Database service
SQL Database threat detection
Improve SQL database performance
 Azure database security best practices
11/7/2018 • 10 minutes to read • Edit Online

Security is a top concern for managing databases, and it has always been a priority for Azure SQL Database. Your
databases can be tightly secured to help satisfy most regulatory or security requirements, including HIPAA, ISO
27001/27002, and PCI DSS Level 1. A current list of security compliance certifications is available at the Microsoft
Trust Center site. You also can choose to place your databases in specific Azure datacenters based on regulatory
requirements.
In this article, we discuss a collection of Azure database security best practices. These best practices are derived
from our experience with Azure database security and the experiences of customers like yourself.
For each best practice, we explain:
What the best practice is
Why you want to enable that best practice
What might be the result if you fail to enable the best practice
How you can learn to enable the best practice
This Azure Database Security Best Practices article is based on a consensus opinion and Azure platform
capabilities and feature sets as they exist at the time this article was written. Opinions and technologies change
over time and this article will be updated on a regular basis to reflect those changes.

Use firewall rules to restrict database access

Microsoft Azure SQL Database provides a relational database service for Azure and other internet-based
applications. To provide access security, SQL Database controls access with:
Firewall rules that limit connectivity by IP address.
Authentication mechanisms that require users to prove their identity.
Authorization mechanisms that limit users to specific actions and data.
Firewalls prevent all access to your database server until you specify which computers have permission. The
firewall grants access to databases based on the originating IP address of each request.
The following figure shows where you set a server firewall in SQL Database:

The Azure SQL Database service is available only through TCP port 1433. To access a SQL database from your
computer, ensure that your client computer firewall allows outgoing TCP communication on TCP port 1433. Block
inbound connections on TCP port 1433 by using firewall rules, if you don’t need these connections for other
applications.
As part of the connection process, connections from Azure virtual machines are redirected to an IP address and
port that are unique for each worker role. The port number is in the range from 11000 to 11999. For more
information about TCP ports, see Ports beyond 1433 for ADO.NET 4.5.
For more information about firewall rules in SQL Database, see SQL Database firewall rules.

NOTE
In addition to IP rules, the firewall manages virtual network rules. Virtual network rules are based on virtual network service
endpoints. Virtual network rules might be preferable to IP rules in some cases. To learn more, see Virtual network service
endpoints and rules for Azure SQL Database.

Enable database authentication

SQL Database supports two types of authentication, SQL Server authentication and Azure AD authentication.
SQL Server Authentication
Benefits include the following:
It allows SQL Database to support environments with mixed operating systems, where all users are not
authenticated by a Windows domain.
Allows SQL Database to support older applications and partner-supplied applications that require SQL Server
authentication.
Allows users to connect from unknown or untrusted domains. An example is an application where established
customers connect with assigned SQL Server logins to receive the status of their orders.
Allows SQL Database to support web-based applications where users create their own identities.
Allows software developers to distribute their applications by using a complex permission hierarchy based on
known, preset SQL Server logins.

NOTE
SQL Server authentication cannot use the Kerberos security protocol.

If you use SQL Server authentication, you must:

Manage the strong credentials yourself.
Protect the credentials in the connection string.
(Potentially) protect the credentials passed over the network from the web server to the database. For more
information, see How to: Connect to SQL Server Using SQL Authentication in ASP.NET 2.0.
Azure Active Directory (AD ) authentication
Azure AD authentication is a mechanism of connecting to Azure SQL Database and SQL Data Warehouse by
using identities in Azure AD. With Azure AD authentication, you can manage the identities of database users and
other Microsoft services in one central location. Central ID management provides a single place to manage
database users and simplifies permission management.

NOTE
We recommend the use of Azure AD authentication over the use of SQL Server authentication.
Benefits include the following:
It provides an alternative to SQL Server authentication.
It helps stop the proliferation of user identities across database servers.
It allows password rotation in a single place.
Customers can manage database permissions by using external (Azure AD ) groups.
It can eliminate storing passwords by enabling integrated Windows authentication and other forms of
authentication supported by Azure Active Directory.
It uses contained database users to authenticate identities at the database level.
It supports token-based authentication for applications that connect to SQL Database.
It supports AD FS (domain federation) or native user/password authentication for a local Azure Active
Directory instance without domain synchronization.
Azure AD supports connections from SQL Server Management Studio that use Active Directory Universal
Authentication, which includes Multi-Factor Authentication. Multi-Factor Authentication provides strong
authentication with a range of verification options—phone call, text message, smart cards with PIN, or mobile
app notification. For more information, see SSMS support for Azure AD Multi-Factor Authentication with SQL
Database and SQL Data Warehouse.
The configuration steps include the following procedures to configure and use Azure AD authentication:
Create and populate Azure AD.
Optional: Associate or change the Active Directory instance that’s currently associated with your Azure
subscription.
Create an Azure Active Directory administrator for Azure SQL Database or Azure SQL Data Warehouse.
Configure your client computers.
Create contained database users in your database mapped to Azure AD identities.
Connect to your database by using Azure AD identities.
You can find detailed information in Use Azure Active Directory authentication for authentication with SQL
Database, Managed Instance, or SQL Data Warehouse.

Protect your data by using encryption and row-level security

Azure SQL Database transparent data encryption helps protect data on disk and protects against unauthorized
access to hardware. It performs real-time encryption and decryption of the database, associated backups, and
transaction log files at rest without requiring changes to the application. Transparent data encryption encrypts the
storage of an entire database by using a symmetric key called the database encryption key.
Even when the entire storage is encrypted, it’s important to also encrypt the database itself. This is an
implementation of the defense-in-depth approach for data protection. If you’re using Azure SQL Database and
want to protect sensitive data (such as credit card or social security numbers), you can encrypt databases with FIPS
140-2 validated 256-bit AES encryption. This encryption meets the requirements of many industry standards (for
example, HIPAA and PCI).
Files related to buffer pool extension (BPE ) are not encrypted when you encrypt a database by using transparent
data encryption. You must use file-system-level encryption tools like BitLocker or the Encrypting File System (EFS )
for BPE -related files.
Because an authorized user like a security administrator or a database administrator can access the data even if the
database is encrypted with transparent data encryption, you should also follow these recommendations:
Enable SQL Server authentication at the database level.
Use Azure AD authentication by using RBAC roles.
Make sure that users and applications use separate accounts to authenticate. This way, you can limit the
 permissions granted to users and applications and reduce the risk of malicious activity.
Implement database-level security by using fixed database roles (such as db_datareader or db_datawriter). Or
you can create custom roles for your application to grant explicit permissions to selected database objects.
For other ways to secure your data, consider:
Cell-level encryption to encrypt specific columns or even cells of data with different encryption keys.
Always Encrypted, which allows clients to encrypt sensitive data inside client applications and never reveal the
encryption keys to the Database Engine (SQL Database or SQL Server). As a result, Always Encrypted provides
a separation between those who own the data (and can view it) and those who manage the data (but should
have no access).
Row -Level Security, which enables customers to control access to rows in a database table based on the
characteristics of the user who is executing a query. (Example characteristics are group membership and
execution context.)
Organizations that are not using database-level encryption might be more susceptible to attacks that compromise
data located in SQL databases.
You can learn more about SQL Database transparent data encryption by reading the article Transparent Data
Encryption with Azure SQL Database.

Enable database auditing

Auditing an instance of the SQL Server Database Engine or an individual database involves tracking and logging
events. For SQL Server, you can create audits that contain specifications for server-level events and specifications
for database-level events. Audited events can be written to the event logs or to audit files.
There are several levels of auditing for SQL Server, depending on government or standards requirements for your
installation. SQL Server auditing provides tools and processes for enabling, storing, and viewing audits on various
server and database objects.
Azure SQL Database auditing tracks database events and writes them to an audit log in your Azure storage
account.
Auditing can help you maintain regulatory compliance, understand database activity, and find discrepancies and
anomalies that might point to business concerns or security violations. Auditing facilitates adherence to compliance
standards but doesn't guarantee compliance.
To learn more about database auditing and how to enable it, see Get started with SQL database auditing.

Enable database threat detection

Threat protection goes beyond detection. Database threat protection includes:
Discovering and classifying your most sensitive data so you can protect your data.
Implementing secure configurations on your database so you can protect your database.
Detecting and responding to potential threats as they occur so you can quickly respond and remediate.
Best practice: Discover, classify, and label the sensitive data in your databases.
Detail: Classify the data in your SQL database by enabling Data Discovery and Classification in Azure SQL
Database. You can monitor access to your sensitive data in the Azure dashboard or download reports.
Best practice: Track database vulnerabilities so you can proactively improve your database security.
Detail: Use the Azure SQL Database Vulnerability Assessment service, which scans for potential database
vulnerabilities. The service employs a knowledge base of rules that flag security vulnerabilities and show deviations
from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data.
The rules are based on Microsoft best practices and focus on the security issues that present the biggest risks to
your database and its valuable data. They cover both database-level issues and server-level security issues, like
server firewall settings and server-level permissions. These rules also represent many of the requirements from
regulatory bodies to meet their compliance standards.
Best practice: Enable threat detection.
Detail: Enable Azure SQL Database Threat Detection to get security alerts and recommendations on how to
investigate and mitigate threats. You get alerts about suspicious database activities, potential vulnerabilities, and
SQL injection attacks, as well as anomalous database access and query patterns.
Advanced Threat Protection is a unified package for advanced SQL security capabilities. It includes the services
mentioned earlier: Data Discovery and Classification, Vulnerability Assessment, and Threat Detection. It provides a
single location for enabling and managing these capabilities.
Enabling these capabilities helps you:
Meet data privacy standards and regulatory compliance requirements.
Control access to your databases and harden their security.
Monitor a dynamic database environment where changes are hard to track.
Detect and respond to potential threats.
In addition, Threat Detection integrates alerts with Azure Security Center for a central view of the security state of
all of your Azure resources.

Next steps
See Azure security best practices and patterns for more security best practices to use when you’re designing,
deploying, and managing your cloud solutions by using Azure.
The following resources are available to provide more general information about Azure security and related
Microsoft services:
Azure Security Team Blog - for up to date information on the latest in Azure Security
Microsoft Security Response Center - where Microsoft security vulnerabilities, including issues with Azure, can
be reported or via email to [email protected]
 Azure database security checklist
11/7/2018 • 2 minutes to read • Edit Online

To help improve security, Azure Database includes a number of built-in security controls that you can use to limit
and control access.
These include:
A firewall that enables you to create firewall rules limiting connectivity by IP address,
Server-level firewall accessible from the Azure portal
Database-level firewall rules accessible from SSMS
Secure connectivity to your database using secure connection strings
Use access management
Data encryption
SQL Database auditing
SQL Database threat detection

Introduction
Cloud computing requires new security paradigms that are unfamiliar to many application users, database
administrators, and programmers. As a result, some organizations are hesitant to implement a cloud infrastructure
for data management due to perceived security risks. However, much of this concern can be alleviated through a
better understanding of the security features built into Microsoft Azure and Microsoft Azure SQL Database.

Checklist
We recommend that you read the Azure Database Security Best Practices article prior to reviewing this checklist.
You will be able to get the most out of this checklist after you understand the best practices. You can then use this
checklist to make sure that you’ve addressed the important issues in Azure database security.

CHECKLIST CATEGORY DESCRIPTION

Protect Data

Transport Layer Security, for data encryption when

Encryption in Motion/Transit data is moving to the networks.
Database requires secure communication from clients
based on the TDS(Tabular Data Stream) protocol over
TLS (Transport Layer Security).

Transparent Data Encryption, when inactive data is

Encryption at rest stored physically in any digital form.

Control Access
 CHECKLIST CATEGORY DESCRIPTION

Authentication (Azure Active Directory Authentication)

Database Access AD authentication uses identities managed by Azure
Active Directory.
Authorization grant users the least privileges
necessary.

Row level Security (Using Security Policy, at the same

Application Access time restricting row-level access based on a user's
identity,role, or execution context).
Dynamic Data Masking (Using Permission & Policy,
limits sensitive data exposure by masking it to non-
privileged users)

Proactive Monitoring

Auditing tracks database events and writes them to an

Tracking & Detecting Audit log/ Activity log in your Azure Storage account.
Track Azure Database health using Azure Monitor
Activity Logs.
Threat Detection detects anomalous database activities
indicating potential security threats to the database.

Data Monitoring Use Azure Security Center as a

Azure Security Center centralized security monitoring solution for SQL and
other Azure services.

Conclusion
Azure Database is a robust database platform, with a full range of security features that meet many organizational
and regulatory compliance requirements. You can easily protect data by controlling the physical access to your
data, and using a variety of options for data security at the file-, column-, or row -level with Transparent Data
Encryption, Cell-Level Encryption, or Row -Level Security. Always Encrypted also enables operations against
encrypted data, simplifying the process of application updates. In turn, access to auditing logs of SQL Database
activity provides you with the information you need, allowing you to know how and when data is accessed.

Next steps
You can improve the protection of your database against malicious users or unauthorized access with just a few
simple steps. In this tutorial you learn to:
Set up firewall rules for your server and or database.
Protect your data with encryption.
Enable SQL Database auditing.
 Azure Data Security and Encryption Best Practices
1/2/2019 • 9 minutes to read • Edit Online

To help protect data in the cloud, you need to account for the possible states in which your data can occur, and
what controls are available for that state. Best practices for Azure data security and encryption relate to the
following data states:
At rest: This includes all information storage objects, containers, and types that exist statically on physical
media, whether magnetic or optical disk.
In transit: When data is being transferred between components, locations, or programs, it’s in transit. Examples
are transfer over the network, across a service bus (from on-premises to cloud and vice-versa, including hybrid
connections such as ExpressRoute), or during an input/output process.
In this article we will discuss a collection of Azure data security and encryption best practices. These best practices
are derived from our experience with Azure data security and encryption and the experiences of customers like
yourself.
For each best practice, we’ll explain:
What the best practice is
Why you want to enable that best practice
What might be the result if you fail to enable the best practice
Possible alternatives to the best practice
How you can learn to enable the best practice
This Azure Data Security and Encryption Best Practices article is based on a consensus opinion, and Azure
platform capabilities and feature sets, as they exist at the time this article was written. Opinions and technologies
change over time and this article will be updated on a regular basis to reflect those changes.

Choose a key management solution

Protecting your keys is essential to protecting your data in the cloud.
Azure Key Vault helps safeguard cryptographic keys and secrets that cloud applications and services use. Key Vault
streamlines the key management process and enables you to maintain control of keys that access and encrypt
your data. Developers can create keys for development and testing in minutes, and then migrate them to
production keys. Security administrators can grant (and revoke) permission to keys, as needed.
You can use Key Vault to create multiple secure containers, called vaults. These vaults are backed by HSMs. Vaults
help reduce the chances of accidental loss of security information by centralizing the storage of application secrets.
Key vaults also control and log the access to anything stored in them. Azure Key Vault can handle requesting and
renewing Transport Layer Security (TLS ) certificates. It provides features for a robust solution for certificate
lifecycle management.
Azure Key Vault is designed to support application keys and secrets. Key Vault is not intended to be a store for user
passwords.
Following are security best practices for using Key Vault.
Best practice: Grant access to users, groups, and applications at a specific scope.
Detail: Use RBAC’s predefined roles. For example, to grant access to a user to manage key vaults, you would
assign the predefined role Key Vault Contributor to this user at a specific scope. The scope in this case would be a
subscription, a resource group, or just a specific key vault. If the predefined roles don’t fit your needs, you can
define your own roles.
Best practice: Control what users have access to.
Detail: Access to a key vault is controlled through two separate interfaces: management plane and data plane. The
management plane and data plane access controls work independently.
Use RBAC to control what users have access to. For example, if you want to grant an application access to use keys
in a key vault, you only need to grant data plane access permissions by using key vault access policies, and no
management plane access is needed for this application. Conversely, if you want a user to be able to read vault
properties and tags but not have any access to keys, secrets, or certificates, you can grant this user read access by
using RBAC, and no access to the data plane is required.
Best practice: Store certificates in your key vault. Your certificates are of high value. In the wrong hands, your
application's security or the security of your data can be compromised.
Detail: Azure Resource Manager can securely deploy certificates stored in Azure Key Vault to Azure VMs when
the VMs are deployed. By setting appropriate access policies for the key vault, you also control who gets access to
your certificate. Another benefit is that you manage all your certificates in one place in Azure Key Vault. See
Deploy Certificates to VMs from customer-managed Key Vault for more information.
Best practice: Ensure that you can recover a deletion of key vaults or key vault objects.
Detail: Deletion of key vaults or key vault objects can be inadvertent or malicious. Enable the soft delete and
purge protection features of Key Vault, particularly for keys that are used to encrypt data at rest. Deletion of these
keys is equivalent to data loss, so you can recover deleted vaults and vault objects if needed. Practice Key Vault
recovery operations on a regular basis.

NOTE
If a user has contributor permissions (RBAC) to a key vault management plane, they can grant themselves access to the data
plane by setting a key vault access policy. We recommend that you tightly control who has contributor access to your key
vaults, to ensure that only authorized persons can access and manage your key vaults, keys, secrets, and certificates.

Manage with secure workstations

NOTE
The subscription administrator or owner should use a secure access workstation or a privileged access workstation.

Because the vast majority of attacks target the end user, the endpoint becomes one of the primary points of attack.
An attacker who compromises the endpoint can use the user’s credentials to gain access to the organization’s data.
Most endpoint attacks take advantage of the fact that users are administrators in their local workstations.
Best practice: Use a secure management workstation to protect sensitive accounts, tasks, and data.
Detail: Use a privileged access workstation to reduce the attack surface in workstations. These secure
management workstations can help you mitigate some of these attacks and ensure that your data is safer.
Best practice: Ensure endpoint protection.
Detail: Enforce security policies across all devices that are used to consume data, regardless of the data location
(cloud or on-premises).

Protect data at rest

Data encryption at rest is a mandatory step toward data privacy, compliance, and data sovereignty.
Best practice: Apply disk encryption to help safeguard your data.
Detail: Use Azure Disk Encryption. It enables IT administrators to encrypt Windows and Linux IaaS VM disks.
Disk Encryption combines the industry-standard Windows BitLocker feature and the Linux dm-crypt feature to
provide volume encryption for the OS and the data disks.
Azure Storage and Azure SQL Database encrypt data at rest by default, and many services offer encryption as an
option. You can use Azure Key Vault to maintain control of keys that access and encrypt your data. See Azure
resource providers encryption model support to learn more.
Best practices: Use encryption to help mitigate risks related to unauthorized data access. Detail: Encrypt your
drives before you write sensitive data to them.
Organizations that don’t enforce data encryption are more exposed to data-confidentiality issues. For example,
unauthorized or rogue users might steal data in compromised accounts or gain unauthorized access to data coded
in Clear Format. Companies also must prove that they are diligent and using correct security controls to enhance
their data security in order to comply with industry regulations.

Protect data in transit

Protecting data in transit should be an essential part of your data protection strategy. Because data is moving back
and forth from many locations, we generally recommend that you always use SSL/TLS protocols to exchange data
across different locations. In some circumstances, you might want to isolate the entire communication channel
between your on-premises and cloud infrastructures by using a VPN.
For data moving between your on-premises infrastructure and Azure, consider appropriate safeguards such as
HTTPS or VPN. When sending encrypted traffic between an Azure virtual network and an on-premises location
over the public internet, use Azure VPN Gateway.
Following are best practices specific to using Azure VPN Gateway, SSL/TLS, and HTTPS.
Best practice: Secure access from multiple workstations located on-premises to an Azure virtual network.
Detail: Use site-to-site VPN.
Best practice: Secure access from an individual workstation located on-premises to an Azure virtual network.
Detail: Use point-to-site VPN.
Best practice: Move larger data sets over a dedicated high-speed WAN link.
Detail: Use ExpressRoute. If you choose to use ExpressRoute, you can also encrypt the data at the application level
by using SSL/TLS or other protocols for added protection.
Best practice: Interact with Azure Storage through the Azure portal.
Detail: All transactions occur via HTTPS. You can also use Storage REST API over HTTPS to interact with Azure
Storage and Azure SQL Database.
Organizations that fail to protect data in transit are more susceptible to man-in-the-middle attacks, eavesdropping,
and session hijacking. These attacks can be the first step in gaining access to confidential data.

Secure email, documents, and sensitive data

You want to control and secure email, documents, and sensitive data that you share outside your company. Azure
Information Protection is a cloud-based solution that helps an organization to classify, label, and protect its
documents and emails. This can be done automatically by administrators who define rules and conditions,
manually by users, or a combination where users get recommendations.
Classification is identifiable at all times, regardless of where the data is stored or with whom it’s shared. The labels
include visual markings such as a header, footer, or watermark. Metadata is added to files and email headers in
clear text. The clear text ensures that other services, such as solutions to prevent data loss, can identify the
classification and take appropriate action.
The protection technology uses Azure Rights Management (Azure RMS ). This technology is integrated with other
Microsoft cloud services and applications, such as Office 365 and Azure Active Directory. This protection
technology uses encryption, identity, and authorization policies. Protection that is applied through Azure RMS
stays with the documents and emails, independently of the location—inside or outside your organization,
networks, file servers, and applications.
This information protection solution keeps you in control of your data, even when it’s shared with other people.
You can also use Azure RMS with your own line-of-business applications and information protection solutions
from software vendors, whether these applications and solutions are on-premises or in the cloud.
We recommend that you:
Deploy Azure Information Protection for your organization.
Apply labels that reflect your business requirements. For example: Apply a label named “highly confidential” to
all documents and emails that contain top-secret data, to classify and protect this data. Then, only authorized
users can access this data, with any restrictions that you specify.
Configure usage logging for Azure RMS so that you can monitor how your organization is using the protection
service.
Organizations that are weak on data classification and file protection might be more susceptible to data leakage or
data misuse. With proper file protection, you can analyze data flows to gain insight into your business, detect risky
behaviors and take corrective measures, track access to documents, and so on.

Next steps
See Azure security best practices and patterns for more security best practices to use when you’re designing,
deploying, and managing your cloud solutions by using Azure.
The following resources are available to provide more general information about Azure security and related
Microsoft services:
Azure Security Team Blog - for up to date information on the latest in Azure Security
Microsoft Security Response Center - where Microsoft security vulnerabilities, including issues with Azure, can
be reported or via email to [email protected]
 Azure Data Encryption-at-Rest
1/2/2019 • 19 minutes to read • Edit Online

Microsoft Azure includes tools to safeguard data according to your company’s security and compliance needs.
This paper focuses on:
How data is protected at rest across Microsoft Azure
Discusses the various components taking part in the data protection implementation,
Reviews pros and cons of the different key management protection approaches.
Encryption at Rest is