Azure security model - Azure Tutorial

- [Instructor] As organizations move their services and workloads to the cloud, one of the important security concerns is security. Making sure that critical resources are well-protected, only the required level of access is granted, and access attempts are logged, are common security concerns. Microsoft Azure provides a wide area of tools and capabilities to address these and other common security concerns. Before diving into the different security tools, let's talk about the Azure security model. Having a good understanding of this will help to differentiate the security functions handled by Azure, the cloud provider, and by you. As your workloads move from an on-premise data center to the cloud, some security responsibilities also move. These will depend on the service type. IAAS, or infrastructure as a service is a service type where you're requesting virtual machines and networks to be created by Azure. This allows you to move your on-premises physical servers to virtual machines in Azure. At this level, it is your responsibility to secure the operating systems and applications running on those virtual machines, as well as securing the network. PAAS, or platform as a service is a service type that provides a complete development and deployment environment in the cloud. This allows you to move your applications and its components to the cloud. At this level, Azure takes care of the operating system and additional components like database management systems, including patching of the servers. The third service type SAAS, or software as a service, provides out-of-the-box complete software solutions that users connect to, typically using a web browser. Azure manages everything required to provide the service. The underlying infrastructure, middleware, and application software. At this level, just like with PAAS, Azure takes care of securing the infrastructure required to secure the application. To summarize, here I've got a chart. When using an on-premise data center you own the whole stack. So you are responsible for securing the physical components, such as network and hosts, and the logical components, such as operating system, network and application controls, and also the other components, such as identity management, access management, client machines, and data governance. With infrastructure as a service, the cloud provider, in this case Azure, is responsible for securing the physical data center, network and hosts. The remaining components of security are still managed by the customer. With platform as a service, Azure is also responsible for securing the operating system. Securing the network controls, application, and identity and directory infrastructure is a shared responsibility between Azure and you. With software as a service, Azure is also responsible for securing the network controls and applications, while securing the identity and directory infrastructure is a shared responsibility between Azure and you. Regardless of the service type security of the following items always lies with you: data, endpoints, accounts, and access management. Azure uses a layered approach to security known as defense in depth. This approach offers security at various layers with an objective to protect information from unauthorized access. At the center of this approach is data. The focus of this layer is to make sure access to data is properly secured. The next layer is application. The focus of this layer is to make sure applications are secure and are storing sensitive details in a secure storage medium. Next we have the compute layer. Make sure virtual machines are patched. Endpoint protection is implemented and access is secured. The next layer is network. Make sure inbound and outbound access is restricted to only what is required. Next is the perimeter layer. Use tools like a network firewall and distributed denial of service protection to guard against network-based attacks. The penultimate layer is identity and access. Make sure identity is secured and access is granted only when needed and is locked. The outer most layer is physical security. This is the first line of defense and involves securing the physical components, such as the building and access to the hardware. With an approach such as this even if one layer is compromised controls at the subsequent layers will prevent further exposure. The shared security model provides the required understanding of how different security tools are implemented in the cloud, and also that security in the cloud is a shared responsibility, between the cloud provider and the cloud user.