News & Blog

Azure Security Assessment: A Practical Guide

Agenda

    How to Harden Azure Security: Practical Measures Using CIS Benchmarks

    Cloud-based systems are growing, and so are security incidents in the cloud. In Azure, data breaches often happen due to weak access management and setup mistakes. To stop these, you need proper security checks called Azure Security Assessments.

    To do these assessments well, you need to know who's responsible for what: what Microsoft handles as the cloud provider and what's up to the user. This idea, called the Shared Responsibility Model, is key to managing cloud security. If you don't understand it, you might overlook important areas you control—like access rules, storage options, data encryption, and network settings—leaving your system at risk.

    In this article, we'll look at real examples of security risks in Azure, explain why the shared responsibility model matters and how to use it, and share a simple approach to security assessments based on it. We'll also explore how CIS benchmarks can boost security and offer practical tips for running Azure safely.

    Security Incidents in Azure

    In cloud environments, configuration errors and inadequate security measures create significant risks of data breaches.

    How prevalent are security incidents among companies operating in the cloud? According to Gartner's research report, 5 Things You Must Do for Secure IaaS and PaaS, "By 2021, 50% of enterprises will have unintentionally exposed some IaaS storage services, network segments, applications, and APIs to the public internet, up from 25% at the end of 2018."

    Our investigation into security incidents caused by misconfigured Azure Blob Storage—a widely used storage service in Azure—revealed numerous cases. Here are a couple of examples:

    Understanding the Shared Responsibility Model

    Preventing such security incidents demands regular evaluations of cloud environment security to identify and fix vulnerabilities and misconfigurations early. However, conducting practical security assessments in Azure starts with understanding the responsibility split between the cloud provider (Microsoft) and the user. This framework, called the Shared Responsibility Model, is a critical guide for implementing security measures.

    The Cloud Security Alliance (CSA) outlines distinct responsibility divisions for IaaS, PaaS, and SaaS in its shared responsibility model. Microsoft, meanwhile, provides a tailored version specific to Azure, defining management scopes as follows.

    A diagram showing Microsoft Azure responsibility zones.Source: Shared Responsibility in the Cloud by Microsoft

     

    Understanding this model clarifies the security areas users must manage.

    Azure Security: Leveraging Benchmarks and Defender

    Adopting the Azure Security Benchmark (ASB) as a standard and using Microsoft Defender for Cloud to perform evaluations are essential for properly assessing and enhancing security in Azure environments.

    What is the Azure Security Benchmark (ASB)?

    The Azure Security Benchmark (ASB) is a guideline offering best practices for security assessments in Azure environments. It's built on the following industry-standard frameworks:

    • CIS Controls v8: Best practices for security management.
    • NIST SP 800-53 r5: Security standards for U.S. government agencies.
    • ISO 27001: International standards for information security management.

    Using ASB, you can systematically evaluate security risks in Azure and pinpoint necessary actions.

     

    A chart explaining Secure Score, Recommendations Status, and Resource Health for Microsoft Azure.

    Security Assessment with Microsoft Defender for Cloud

    Microsoft Defender for Cloud (formerly Azure Security Center and Azure Defender) is a vital tool that aligns with the Azure Security Benchmark (ASB) while incorporating Azure-specific risk assessments. It identifies risks in Azure environments and suggests actionable countermeasures.

    The tool offers two core functions:

    1. Cloud Security Posture Management (CSPM)
      This feature visualizes misconfigurations and compliance issues across the Azure environment to highlight risks. Key assessment areas include:

      • Inappropriate access management settings.
      • Deviations from security configuration best practices.
      • Gaps in encryption or network settings.
      • Compliance with standards like CIS Controls v8, NIST SP 800-53 r5, and ISO 27001.
    2. Cloud Workload Protection Platform (CWPP)
      This function monitors Azure resources—such as virtual machines, containers, and databases—in real time to detect and mitigate threats. Key security measures include:

      • Signature-based threat detection.
      • Behavioral analysis for anomaly detection.
      • Threat intelligence to support zero-day attack detection.
      • Automated incident response.

    Leveraging Microsoft Defender for Cloud automates ASB-compliant security assessments, enabling continuous improvements. This helps you visualize risks in Azure environments and consistently apply appropriate safeguards.

    Enhancing Security in Azure: Applying CIS Benchmarks

    You must address risks that Microsoft Defender for Cloud can't detect for comprehensive security. This section explores how to tackle vulnerabilities and quality issues embedded from the design phase, spanning basic design, detailed design, and operational design.

    By embedding security into the design phase, you can streamline maintenance in later stages and cut security costs during operations. Here, we'll detail an approach to system hardening during detailed design using CIS benchmarks.

    Microsoft Azure security by design: risk and review criteria.

    The CIS Microsoft Azure Foundations Benchmarks provide prescriptive guidance from the Center for Internet Security (CIS) to establish a secure baseline configuration for Azure. Aimed at all Azure users, it sets a foundational security level, though adjustments may be needed based on your environment.

    This article targets system and application administrators, security professionals, auditors, help desk staff, and those overseeing platform releases, solution development, release evaluations, or secure solution planning. The latest release as of this writing is v1.3.0 (February 1, 2021), available in MS Excel, MS Word, and PDF formats.

    Here are the first two items from the CIS Microsoft Azure Foundations Benchmarks as examples:

    • 1.1 Ensure multi-factor authentication is enabled for all privileged users (Level 1)
    • 1.2 Ensure multi-factor authentication is enabled for all non-privileged users (Level 2)

    These indicate standard multi-factor authentication measures, with Level 1 focusing on privileged users and Level 2 extending to non-privileged users. In high-security environments, Level 2 is recommended. The documentation details rationale, impacts, and audit methods for future steps.


    Consider this Azure environment as an example:

    • Connected to a private cloud via an on-premises infrastructure (OA environment) and a dedicated line service.
    • Internal Azure systems accessible from the OA environment.
    • Storage services accessible via private link connections.

    The CIS Microsoft Azure Foundations Benchmark includes: "6.5 Ensure Network Watcher is 'Enabled'." Network Watcher is a valuable tool for monitoring, diagnosing, viewing metrics, and enabling logging for Azure virtual network resources when the service is off. However, depending on your environment, continuous use can lead to significant costs.


    Some organizations may lack the budget to enable it immediately, and activation involves many considerations. At this point, you'll need to weigh basic, detailed, and operational design factors, such as:

    • How much will it cost in the current environment?
    • How will logs be securely stored?
    • How will logs be monitored?
    • How will logs be analyzed?
    • How will alerts be triggered upon detection?
    • What's the communication flow?
    • Will security measures disrupt business operations?

    If operational design processes beyond the CIS benchmarks aren't defined, you'll only incur costs for log generation. Saying ""operations can handle it"" merely shifts the burden from system development to the operations staff. Rather than reacting to incidents with makeshift fixes, designing with security by design in mind from the start—across basic, detailed, and operational phases—builds security as a guardrail that supports business continuity.

    Conclusion

    Security in Azure environments exceeds optimizing configurations; it demands continuous evaluation and enhancement rooted in the shared responsibility model. As this article outlines, you can systematically assess security risks and implement practical solutions by leveraging the Azure Security Benchmark (ASB), Microsoft Defender for Cloud, and CIS Microsoft Azure Foundations Benchmark.

    However, cloud security isn't a one-time fix. The operational phase hinges on a security-by-design mindset. Embedding security from the design stage while balancing log management and cost optimization creates a security framework that acts as a guardrail without halting business operations.

    As cloud adoption grows, so will the risk of security incidents. To operate Azure safely, technical measures must be paired with organization-wide security awareness and a system for ongoing risk evaluation and response.