BeginnerSecurity Fundamentals

Security Fundamentals

Learn the foundational concepts that underpin all cloud security: shared responsibility, defense in depth, and Zero Trust architecture.

🧠 ELI5 Explanation

Imagine your house is your cloud application. You own the lock (your code, your data). The landlord (Microsoft/Azure) owns the foundation, walls, and roof (servers, network infrastructure). In cloud security, you must lock your door, but Microsoft ensures the building doesn't collapse. That's the shared responsibility model.

Defense in depth is like having multiple doors, cameras, and alarms rather than just one lock. Zero Trust means: never trust anyone, even inside your house—verify everyone, every time.

Technical Explanation

Shared Responsibility Model

Azure handles:

Physical security (data center
Network infrastructure
Host OS and hypervisor
Azure service platform

You handle:

Identity & access (MFA, passwords, roles)
Application security (secure code, vulnerabilities)
Data encryption (when required)
Network security (NSGs, firewalls)
Compliance requirements

Defense in Depth (Layered Security)

Never rely on a single security control. Use multiple layers:

Layer	Controls	Example
Identity	MFA, conditional access, passwordless	User requires MFA to sign in
Perimeter	Firewalls, NSGs, DDoS protection	Only HTTPS allowed, SSH blocked
Network	VNets, segmentation, Private Links	Database only accessible from app subnet
Compute	VM hardening, patches, antimalware	Windows Defender enabled, updates installed
Application	Secure coding, input validation, encryption	No SQL injection, parameterized queries
Data	Encryption at rest/in transit, backups	Database encrypted with transparent encryption

Zero Trust Architecture

Core principle: Never trust, always verify—even for insider access.

Traditional thinking: "If you're inside the network, you're safe."

Zero Trust thinking: "Every request is suspicious until proven otherwise."

Pillars of Zero Trust:

Verify Explicitly: Always authenticate & authorize based on data point (user, device, location, risk)
Use Least Privilege: Grant minimum access needed, for minimum time
Assume Breach: Encrypt everything, assume attacker is already inside

Visual Representation

Shared Responsibility in Azure


      Azure (Green)                     You (Orange)

      ___________________              ___________________

      | Physical DC      |             | Identity & MFA   |

      | Security, Power  |             | Access Control   |

      |__________________|  <----->  | App Security     |

      | Network Infra    |  Boundary   | Data Encryption  |

      | Firewalls, DDoS  |             | Compliance       |

      |__________________|             |__________________|

Hands-on: Checking Shared Responsibility

Even though we don't "secure" Azure's infrastructure ourselves, understanding the boundary helps with architecture decisions:

# View Azure resources you own (shared responsibility boundary)
az resource list --query "[].{id:id, type:type}" --output table

# Check VM status (your responsibility: keep patched and hardened)
az vm list --query "[].{name:name, vmId:vmId, provisioningState:provisioningState}" --output table

# List security groups (your responsibility: configure rules)
az network nsg list --query "[].{name:name, rules:securityRules[].name}" --output table

Real-world Use Case

Scenario: A financial services company moving to Azure must handle customer data.

Azure's responsibility: Keep data centers secure, prevent physical theft, run hypervisors safely.

Company's responsibility: Encrypt customer data, enforce MFA for admin access, scan apps for vulnerabilities, maintain network isolation.

If data is breached: If it's data center theft (rare), Azure is liable. If it's weak passwords or injection attacks (common), company is liable.

Summary

Shared Responsibility: Azure secures infrastructure; you secure identity, apps, and data.
Defense in Depth: Use multiple security layers—don't rely on one control.
Zero Trust: Never assume trust; always verify, authenticate, and use least privilege.

Interview Questions

Q (Beginner): What is the shared responsibility model?
A: Microsoft secures the cloud infrastructure (data centers, networks, hypervisors). You secure what runs on Azure (identity, applications, data encryption, network security).

Q (Beginner): Who is responsible for patching a VM OS?
A: You are. Azure provides the hardware and hypervisor; you must patch Windows or Linux updates.

Q (Intermediate): Explain defense in depth with an example.
A: Instead of just having a firewall, layer multiple controls. Example: SQL database = identity-based access + firewall rules + encryption at rest + private endpoint + network isolation. If one layer fails, others still protect.

Q (Intermediate): What does "assume breach" mean in Zero Trust?
A: Design as if attackers are already inside your network. Encrypt all data, segment networks, verify every access request, don't trust internal IPs automatically.

Q (Scenario): Your company was hit with ransomware that encrypted production data. What part is Azure's responsibility, and what's yours?
A: Azure's responsibility: ensure physical data center security, don't allow unauthorized access to infrastructure. Your responsibility: backup data offsite, segment networks so malware can't spread, enforce access controls, train employees on phishing. If ransomware got in through weak passwords or unpatched apps, that's on you.