Σημείωση
Η πρόσβαση σε αυτή τη σελίδα απαιτεί εξουσιοδότηση. Μπορείτε να δοκιμάσετε να συνδεθείτε ή να αλλάξετε καταλόγους.
Η πρόσβαση σε αυτή τη σελίδα απαιτεί εξουσιοδότηση. Μπορείτε να δοκιμάσετε να αλλάξετε καταλόγους.
Azure provides comprehensive security services and technologies across all layers of your cloud deployments. This article introduces the main security capabilities organized by domain, with links to detailed overview articles for more information.
For specific security best practices and detailed implementation guidance, refer to the domain-specific overview articles linked throughout this document.
Identity and access management
| Service | Description |
|---|---|
| Microsoft Entra ID | Cloud-based identity and access management service supporting single sign-on (SSO), multifactor authentication (MFA), Conditional Access, and passwordless authentication. |
| Azure role-based access control (RBAC) | Fine-grained access management with built-in and custom roles, assignable at management group, subscription, resource group, or resource scope. |
| Microsoft Entra Privileged Identity Management | Just-in-time privileged access to Azure and Microsoft Entra roles with approval workflows, access reviews, and audit history. |
| Microsoft Entra access reviews | Scheduled reviews of group memberships, application access, and role assignments with automated recommendations and remediation. |
| Microsoft Entra application proxy | Secure remote access to on-premises web applications without VPN, using Microsoft Entra authentication and Conditional Access. |
| Microsoft Entra Connect / Cloud Sync | Hybrid identity synchronization between on-premises Active Directory and Microsoft Entra ID for unified identity management. |
For detailed identity security capabilities and best practices, see Azure identity management security overview.
Network security
| Service | Description |
|---|---|
| Azure Virtual Network | Isolated private network with subnets, route tables, and DNS settings. Foundation for all Azure network security. |
| Network Security Groups (NSGs) | Stateful packet filtering with 5-tuple rules, service tags, and application security groups for granular access control. |
| Azure Firewall | Cloud-native stateful firewall with built-in high availability. Standard SKU offers L3-L7 filtering; Premium SKU adds IDPS and TLS inspection. |
| Web Application Firewall (WAF) | Centralized protection against OWASP Top 10 vulnerabilities, SQL injection, cross-site scripting, and bot attacks. |
| Azure DDoS Protection | Always-on traffic monitoring with adaptive tuning, real-time mitigation, and attack analytics for volumetric and protocol attacks. |
| Azure Private Link | Private connectivity to Azure PaaS services over a private endpoint in your virtual network, eliminating public internet exposure. |
| Virtual Network service endpoints | Direct connectivity to Azure services over the Azure backbone network, restricting access to your virtual networks only. |
| Azure VPN Gateway | Encrypted cross-premises connectivity using IPsec/IKE VPN tunnels for site-to-site and point-to-site connections. |
| Azure ExpressRoute | Dedicated private WAN connection to Microsoft cloud services, bypassing the public internet for enhanced security and reliability. |
| Azure Application Gateway | Layer 7 load balancer with TLS termination, cookie-based session affinity, URL-based routing, and integrated WAF. |
| Azure Front Door | Global HTTP load balancer with edge acceleration, integrated WAF, platform-level DDoS protection, and Private Link backend origins. |
| Azure Network Watcher | Network monitoring, diagnostics, and security analysis including NSG flow logs, packet capture, and connection troubleshoot. |
For comprehensive network security guidance and best practices, see Azure network security overview.
Data encryption
| Service | Description |
|---|---|
| Azure Storage Service Encryption | Automatic AES 256 encryption for all data at rest in Azure Blob storage, Azure Files, Queue storage, and Table storage. |
| Azure SQL Database Transparent Data Encryption (TDE) | Real-time encryption of databases, backups, and transaction logs at rest. Enabled by default with support for customer-managed keys. |
| Always Encrypted | Client-side encryption for Azure SQL Database ensuring data remains encrypted throughout its lifecycle, even from database administrators. |
| Azure Disk Encryption | Encryption for OS and data disks using platform-managed keys, customer-managed keys, or double encryption with both. |
| Azure Cosmos DB encryption | Automatic encryption at rest using service-managed keys with optional customer-managed key (CMK) support. |
| Azure Data Lake encryption | Transparent encryption at rest enabled by default with options for Microsoft-managed or customer-managed keys. |
| TLS encryption in transit | Transport Layer Security (TLS 1.2+) for all Azure service communications with Perfect Forward Secrecy (PFS). |
| MACsec data-link encryption | Point-to-point encryption using IEEE 802.1AE for all Azure traffic between datacenters. |
For detailed encryption options and best practices, see Azure encryption overview.
Key and secrets management
| Service | Description |
|---|---|
| Azure Key Vault | Secure storage for keys, secrets, and certificates with FIPS 140-2 Level 1 (Standard tier) or FIPS 140-3 Level 3 (Premium tier with HSM) validation. |
| Azure Key Vault Managed HSM | Single-tenant, FIPS 140-3 Level 3 validated HSM service offering full customer control with confidential key support. Integrates with Azure PaaS services. |
| Azure Cloud HSM | Fully managed, single-tenant FIPS 140-3 Level 3 validated HSM cluster supporting PKCS#11, SSL/TLS offloading, and on-premises migration scenarios. IaaS only. |
| Azure Payment HSM | Single-tenant, FIPS 140-2 Level 3 validated, PCI HSM v3 compliant HSM for payment processing operations. |
For comprehensive key management options, see Key management in Azure.
Threat detection and response
| Service | Description |
|---|---|
| Microsoft Defender for Cloud | Unified cloud security with posture management (CSPM), workload protection (CWP), and advanced threat detection across Azure, AWS, GCP, and hybrid environments. Integrated with Microsoft Defender portal. |
| Microsoft Sentinel | Cloud-native SIEM and SOAR solution with machine learning, user and entity behavior analytics (UEBA), threat intelligence integration, and automated playbooks. |
| Microsoft Entra ID Protection | Risk-based identity protection detecting anomalous sign-in behaviors and compromised accounts using machine learning. |
| Microsoft Defender for Cloud Apps | Cloud Access Security Broker (CASB) providing visibility, data control, and threat protection for cloud applications including shadow IT discovery. |
| Microsoft Antimalware for Azure | Real-time protection, scheduled scanning, and automatic malware remediation for Azure Cloud Services and Virtual Machines. |
For comprehensive information about threat detection capabilities and best practices, see Azure threat protection.
Platform integrity
| Service | Description |
|---|---|
| Firmware security | Secure supply chain and firmware integrity verification for Azure hardware from manufacturing through deployment. |
| UEFI Secure Boot | Ensures only signed operating systems and drivers can boot, protecting against firmware-level malware. |
| Platform code integrity | Code integrity policies that validate all code before execution on Azure infrastructure. |
| Measured boot and host attestation | Cryptographic verification of the boot sequence to ensure hosts are in a secure and trustworthy state. |
| Project Cerberus | Hardware root of trust providing platform identity and integrity verification. |
| Hypervisor security | Hardened hypervisor with strong isolation between virtual machines and the host environment. |
For detailed platform security architecture, see Azure platform integrity and security overview.
Virtual machine security
| Service | Description |
|---|---|
| Trusted launch | Default for Gen2 VMs with Secure Boot, vTPM, and Boot Integrity Monitoring protecting against boot kits, rootkits, and kernel-level malware. |
| Azure confidential computing | Hardware-based trusted execution environments (TEE) using AMD SEV-SNP or Intel TDX for data protection while in use. |
| Confidential VMs | Full VM memory encryption with hardware-enforced isolation from the hypervisor and host management code. |
| Microsoft Defender for Servers | Threat detection with Microsoft Defender for Endpoint integration, vulnerability assessment, just-in-time VM access, and file integrity monitoring. |
| Just-in-time (JIT) VM access | Reduces attack surface by locking down inbound traffic and enabling time-limited access to management ports on-demand. |
| Adaptive application controls | Machine learning-based application allowlisting to control which applications can run on your VMs. |
| Azure Backup | Independent, isolated backups with ransomware protection, soft delete, and Recovery Services vault management. |
| Azure Site Recovery | Disaster recovery orchestration for replication, failover, and recovery to Azure or a secondary site. |
For comprehensive VM security features and guidance, see Azure Virtual Machines security overview.
Container security
| Service | Description |
|---|---|
| Microsoft Defender for Containers | Runtime protection, vulnerability assessment, and Kubernetes threat detection across AKS, EKS, GKE, and on-premises clusters. |
| Azure Container Registry | Managed container registry with vulnerability scanning, content trust (image signing), geo-replication, and private endpoints. |
| Azure Kubernetes Service (AKS) security | Managed Kubernetes with Microsoft Entra integration, Azure RBAC, network policies, pod security, and secrets management. |
| Confidential containers on ACI | Hardware-based TEE protection using AMD SEV-SNP with verifiable execution policies and remote attestation. |
| Kubernetes gated deployment | Admission control preventing deployment of container images that violate security rules in audit or deny mode. |
| Container image scanning | Agentless vulnerability assessment for container images in registries and runtime containers in AKS clusters. |
For comprehensive container security guidance, see Container security in Microsoft Defender for Cloud.
Database security
| Service | Description |
|---|---|
| Azure SQL Database security | Comprehensive security with network isolation, Microsoft Entra authentication, TDE encryption, Always Encrypted, and auditing. |
| Microsoft Defender for SQL | Advanced threat protection detecting SQL injection, brute-force attacks, anomalous activities, and vulnerability exploits. |
| SQL Vulnerability Assessment | Discovers, tracks, and helps remediate database vulnerabilities with actionable security recommendations. |
| Row-Level Security (RLS) | Restricts row access based on user identity, role, or execution context for fine-grained data access control. |
| Dynamic Data Masking | Masks sensitive data to non-privileged users without changing underlying data, reducing exposure risk. |
| Azure SQL Database Ledger | Tamper-evident capabilities with immutable transaction records for data integrity verification and compliance. |
| Azure Cosmos DB security | Encryption at rest and in transit, network isolation, RBAC, and audit logging for NoSQL and multi-model workloads. |
For a comprehensive database security checklist, see Azure database security checklist.
DevOps security
| Service | Description |
|---|---|
| Microsoft Defender for DevOps | Unified DevOps security connecting Azure DevOps and GitHub with code scanning, infrastructure-as-code (IaC) scanning, and secret detection. |
| GitHub Advanced Security integration | Code-to-cloud vulnerability tracking with runtime context prioritization and AI-powered Copilot Autofix remediation. |
| In-pipeline container scanning | CLI-based container vulnerability scanning during CI/CD workflows with real-time feedback before registry push. |
| Dependency vulnerability scanning | Trivy-powered detection of OS and library vulnerabilities in GitHub and Azure DevOps repositories. |
For DevOps security best practices, see DevOps security in Defender for Cloud.
Monitoring and governance
| Service | Description |
|---|---|
| Azure Monitor | Comprehensive monitoring with metrics, logs, Log Analytics workspaces, Application Insights, alerts, and workbooks. |
| Azure Policy | Governance service enforcing organizational standards with policy definitions, initiatives, compliance reporting, and automatic remediation. |
| Microsoft Defender for Cloud regulatory compliance | Built-in and custom compliance assessments aligned with Microsoft cloud security benchmark, ISO 27001, NIST, PCI DSS, and other standards. |
| Azure Activity Log | Subscription-level audit log recording administrative operations, service health events, and resource changes with 90-day retention. |
| Azure Update Manager | Unified patch management for Windows and Linux VMs across Azure, on-premises, and multicloud with scheduled patching and hotpatching. |
| Azure Resource Graph | Fast cross-subscription querying to identify resources with specific configurations or security postures at scale. |
| Microsoft Cost Management | Cost monitoring, budgets, and anomaly detection to identify unauthorized resource deployments that may indicate security incidents. |
For detailed security management capabilities and best practices, see Azure security management and monitoring overview.
Backup and disaster recovery
| Service | Description |
|---|---|
| Azure Backup | Independent, isolated backups with zero capital investment, ransomware protection, soft delete, and cross-region restore. |
| Azure Site Recovery | Business continuity and disaster recovery (BCDR) orchestration for replication, failover, and recovery to Azure or a secondary site. |
For comprehensive backup guidance, see Azure Backup documentation.
PaaS deployment security
For guidance on securing platform-as-a-service deployments, including App Service, Azure Functions, and container services, see Securing PaaS deployments.
Next steps
- End-to-end security in Azure - Comprehensive overview of Azure's security architecture and capabilities
- Azure security best practices and patterns - Collection of security best practices for various scenarios
- Microsoft cloud security benchmark - Comprehensive security guidance for Azure services
- Shared responsibility in the cloud - Understanding the security responsibilities shared between you and Microsoft