Information Technology Navigator

Tips, Advice & Insights from Technology Pros

Nuances of Azure’s Shared Responsibility Security Model

Posted by Joe Correia

Wed, Feb 27, 2019


The benefits of migrating applications to Microsoft’s Azure cloud make a very compelling business case – agility, scalability, a pay for what you use cost model, etc. But as you move workloads to Azure, don’t assume they are automatically protected, because while Azure does ensure a secure infrastructure, you are responsible for ensuring protection of your data – not Microsoft.

It’s all detailed in Microsoft’s Shared Responsibility Security Model. Understanding where the Shared Responsibility model starts and stops is critical to ensuring your data is secure and compliant. Here are some key considerations:

Division of Responsibility

Azure infrastructure complies with many industry standards like NIST and ISO/IEC 27001:2013 providing 24x7 continuity from inside geographically dispersed datacenters. In compliance with these standards, Microsoft provides security for physical assets, network infrastructure, availability, SQL database, monitoring and operations. The shared responsibility model is used to show where the division of responsibility is when a customer moves their workloads into the cloud. Within Azure, Microsoft assumes responsibility for general datacenter components such as compute hosts, datacenter assets, and the networks that connect them. However, the division can vary when you look at the many service offerings available in the cloud from the operating systems and applications to directory services and account management. Ultimately customers continue to be solely responsible for their user accounts, system endpoints, permissions/access controls and most importantly their data.

Customer data availability and integrity comes with the package when leveraging cloud, however retention, compliance, and rights management are the responsibility of the customer. Microsoft provides many features and tools to help with these challenges, but it is up to the customer to architect and implement the necessary policies and controls for their data.

Identity and Access Management

Identity management is leveraged heavily in controlling and protecting customer data in a cloud solution. Typically, when customers move to the cloud additional identity and access management features such as conditional access, single sign-on, multi-factor authentication (MFA), and mobile device management (MDM) are layered onto the legacy on-premises authentication and access methods.

Application control and permissions can be a shared model between the cloud service provider (CSP) and its customer when considering web services, IoT, and media services to reduce responsibility on the customer side. In an IaaS deployment the customer must manage operating systems, applications and data security, and the CSP will tackle everything from the infrastructure layer down, including physical security, platform patching, compliance, etc.


Having helped customer navigate the nuances of this shared responsibility model, here are some important considerations:

  • Implement a data backup solution that integrates with Office 365 to protect against human error, hackers, malicious activity, and ransomware. There are a variety of options available, including Skykick, Mimecast, Veeam and Spanning depending upon your specific deployment and requirements. Office 365 also includes some retention across deleted items (14-30 days) that can help, but may fall short of what you need for a recovery point.
  • Design and configure a compliance solution that encompasses data classification, retention, and loss prevention. Policy driven classification can help control not only access but data retention to protect against both unintentional and malicious data destruction. Start with a default retention policy, set to the corporate minimum period, that can be applied to important company data across major services and fine tune up from there.

The bottom line: Going to the cloud does not remove the need for good IT practices.  IT Admins must still apply policies and process to cloud resources the same as they would on-premises.

Need help protecting your data in the cloud? Daymark is a Microsoft Tier 1 Cloud Service Provider. Our consultants have extensive experience with Azure migrations and would be happy to map out your migration strategy. We can get you started with our Azure Everywhere Workshop – A 2-day on-site workshop at your location where Daymark cloud consultants will conduct a thorough assessment of your environment and make recommendations on workloads best suited for the Azure platform. Contact us today to get started.