Building Cloud-Native Security: Zero Trust for Azure

Zero Trust security architecture gained significant traction in 2020 as remote work dissolved the traditional network perimeter. Azure's security services provide the building blocks for a zero-trust implementation.

Azure AD Conditional Access

Conditional Access is the zero-trust policy engine for Azure AD. Policies evaluate every authentication request against conditions (user, device, location, application, risk level) and enforce access controls (MFA requirement, device compliance, block access). Example policy: require MFA for all users accessing sensitive applications, require compliant devices for access from unmanaged networks, block access from high-risk sign-in events detected by Azure AD Identity Protection.

Microsoft Defender for Cloud

Microsoft Defender for Cloud (formerly Azure Security Center) provides: secure score (aggregate measurement of security posture across Azure resources), security recommendations (actionable guidance for each misconfiguration), advanced threat protection for VMs, containers, SQL databases, and storage accounts, and regulatory compliance dashboards. The secure score provides a prioritised list of security improvements rather than an overwhelming list of findings.

Privileged Identity Management

Azure AD PIM provides just-in-time privileged access: privileged roles (Global Administrator, Subscription Owner, Contributor) are not permanently assigned. Engineers request elevation for a specific duration, provide justification, receive approval (if required), and are audited. After the duration expires, the elevated access is automatically removed. PIM eliminates standing privileged access, reducing the impact of compromised privileged accounts.

Network security with Azure Firewall and NSGs

Azure Firewall provides centralised network egress filtering with application-level rules (FQDN-based filtering, TLS inspection). Network Security Groups provide distributed micro-segmentation: allow and deny rules at the NIC and subnet level. The zero-trust network pattern: deny all by default (default deny NSG rules), explicit allow rules for required communication paths, Azure Firewall for internet egress with allowlisted FQDNs, and Azure Private Endpoints for PaaS services (no public endpoint, all traffic on the private network).