Overview of the security pillar
The security pillar of Well-Architected for Industry guides you on how to design and operate secure workloads in the cloud. It includes best practices for protecting data, systems, and assets while enabling business agility and innovation.
The security pillar focuses on five key areas:
- Security governance: Implement monitoring and logging solutions to detect and respond to security incidents in a timely manner. Have a well-defined incident response plan in place, including incident escalation procedures and regular testing and review of the plan to ensure its effectiveness.
- Identity and access management: This area is the foundation of secure cloud computing. Implement least privilege access, multi-factor authentication, and strong identity management practices.
- Infrastructure and network protection: Implement security controls at the network, host, and application layers to protect against cyber attacks and mitigate the impact of security incidents.
- Data protection: Implement data encryption, data classification, and data retention policies to protect data at rest and in transit.
- Applications and services: Implement best security practices for applications and services deployed on top of the cloud infrastructure.
The following table summarizes the division of responsibility of the security pillar for each service type:
| Type of service | Microsoft responsibility | Customer responsibility | Some components used in Microsoft Cloud industry solutions |
|---|---|---|---|
| On-premises | N/A | Responsible for the whole stack. | On-premises data gateway |
| IaaS | Securing the underlying infrastructure, such as the physical servers, storage, and networking components. | Secure their applications, data, and operating systems that run on top of the infrastructure. Includes tasks such as configuring firewalls, managing access controls, and implementing security policies. | Azure Virtual Network (VNet), Azure Virtual Machines (VMs) |
| PaaS | Securing the underlying platform, including the runtime environment, databases, and messaging systems. | Secure their applications and data that run on top of the platform. Includes tasks such as configuring security settings, managing access controls, and implementing security policies. | Power Platform, Azure Health Data Services, Azure Storage Services, Azure Analytics Services, Azure Logic Apps, Azure Kubernetes Service (AKS) |
| SaaS | Securing the entire software application and associated services, including the data it processes and stores. | Secure their user accounts and access controls to ensure their users can access the application securely. Includes tasks such as configuring multi-factor authentication, implementing security policies, security roles, and monitoring user activity for potential security threats. | Dynamics 365, Microsoft 365 |