Edit

Build the first layer of defense by using Azure security services

Azure
Microsoft Entra ID

Solution ideas

This article describes a solution idea. Your cloud architect can use this guidance to help visualize the major components for a typical implementation of this architecture. Use this article as a starting point to design a well-architected solution that aligns with your workload's specific requirements.

This article is the second in a series of four that explains how to design a layered security architecture by using Microsoft security solutions.

The first article describes how to map ransomware threats across a hybrid enterprise environment by using the MITRE ATT&CK framework. That article demonstrates how attackers typically gain initial access, escalate privileges, move laterally, and ultimately affect identities, infrastructure, applications, and data.

This second article builds directly on that foundation and focuses on the first layer of defense: pre-breach security.

Architecture

Diagram of Microsoft Zero Trust pillars mapped to Azure security controls and ATT&CK techniques.

Download a Visio file of this architecture.

This image incorporates concepts and terminology from the MITRE ATT&CK® Framework developed by The MITRE Corporation. ATT&CK® is a registered trademark of The MITRE Corporation.

The Azure security layer shown in this diagram aligns with the Azure Security Benchmark (ASB) v3, which defines the Microsoft recommended security controls across identity, networking, compute, data, and governance.

Currently, these controls are primarily implemented and monitored via:

  • Azure Policy.
  • Microsoft Defender for Cloud.
  • Built-in platform security defaults.

The diagram doesn't include every available service. Instead, it includes commonly deployed, high-impact controls that directly mitigate ransomware attack paths.

Workflow

The following workflow corresponds to the previous diagram:

  1. Azure security services contribute to pre-breach protection for each of the following Zero Trust pillars: network, infrastructure and endpoints, application and data, and identity.
  2. Network services in the architecture include network security groups (NSG), a virtual private network (VPN) gateway, Azure Firewall, Azure Application Gateway with Azure Web Application Firewall, a network virtual appliance (NVA), Azure DDoS Network Protection, TLS/SSL, which provide encryption, Azure Private Link, and private endpoints.
  3. Infrastructure and endpoint services in the architecture include Azure Bastion, Microsoft Defender anti-malware service, disk encryption, Azure Key Vault, Azure Virtual Desktop RDP Shortpath, and Virtual Desktop reverse connect.
  4. Application and data services in the diagram include Azure Front Door with Web Application Firewall, Azure API Management, penetration testing, Azure Storage shared access signatures (SAS), private endpoints, an Azure Storage firewall, Azure Storage encryption, SQL auditing, SQL vulnerability assessment, and encryption for Azure SQL Database services.
  5. Identity services in the architecture include Azure role-based access control (Azure RBAC), Microsoft Entra multifactor authentication, Microsoft Entra ID Protection, Microsoft Entra Privileged Identity Management (PIM), and Microsoft Entra Conditional Access.

The numbers in the ATT&CK matrix correspond to technique numbers assigned by MITRE.

Components

  • Microsoft Entra ID is an identity and access management service. In this architecture, it manages user identities and access to external resources such as Microsoft 365 and the Azure portal, and internal resources such as apps on your corporate intranet network.

  • Virtual Network is a networking service that provides secure communication between Azure resources, the internet, and on-premises networks. In this architecture, it provides the private network infrastructure that supports secure connectivity and isolation for workloads.

  • Azure Load Balancer is a low-latency layer-4 load balancing service for UDP and TCP traffic. Load Balancer is a zone-redundant service that can handle millions of concurrent flows. In this architecture, it ensures high availability and scalability by distributing inbound and outbound traffic across resources in the virtual network.

  • Azure Virtual Machines is an infrastructure as a service (IaaS) offering that provides scalable compute resources. In this architecture, virtual machines host workloads that require direct control over the operating system and security configurations.

  • Azure Kubernetes Service (AKS) is a managed container orchestration service that simplifies deploying and managing Kubernetes clusters. In this architecture, AKS runs containerized applications and provides built-in features for security, governance, and continuous integration/continuous delivery (CI/CD).

  • Virtual Desktop is a desktop and app virtualization service that you can use to create remote desktops from the cloud. In this architecture, it provides secure access to corporate desktops for remote users. The architecture uses built-in features like RDP Shortpath and reverse connect.

  • The Web Apps feature of Azure App Service hosts web applications, REST APIs, and mobile back ends. In this architecture, Web Apps hosts HTTP-based applications and provides security features like TLS and private endpoints. You can develop applications in the language of your choice. Applications run and scale in both Windows and Linux-based environments.

  • Azure Storage is a scalable and secure storage solution for various data types, including blobs, files, queues, and tables. In this architecture, it stores application and system data with encryption at rest and supports secure access via SAS tokens and private endpoints.

  • SQL Database is a managed relational database service that automates patching, backups, and monitoring. In this architecture, it provides secure and compliant data storage via features like transparent data encryption, auditing, and vulnerability assessments.

  • Microsoft Fabric is a unified SaaS analytics platform that brings together data engineering, data warehousing, real-time analytics, and business intelligence. In this architecture, you can use Fabric for analytics workloads that need governed workspaces, OneLake encryption at rest, item-level role-based access, and centralized activity logging while operational data remains in services like SQL Database.

  • Network security group (NSG) is a free service that you attach to a network interface or subnet. An NSG allows you to filter TCP or UDP protocol traffic by using IP address ranges and ports for inbound and outbound connections.

  • Azure VPN Gateway is a virtual private network (VPN) gateway that provides a tunnel with IPSEC (IKE v1/v2) protection.

  • Azure Firewall is a platform as a service (PaaS) that provides protection in layer 4 and is attached to an entire virtual network.

  • Application Gateway is a load balancer for web traffic that works in layer 7 and adds Azure Web Application Firewall to protect applications that use HTTP and HTTPS.

  • Network virtual appliance (NVA) is a virtual security service from the marketplace that's provisioned on VMs on Azure.

  • Azure DDoS Protection implements DDoS protection on the virtual network to help you mitigate various types of DDoS attacks.

  • Private Link enables you to create a private network for an Azure service that's initially exposed to the internet.

  • Azure Bastion provides jump server functionality. You can use this service to access your VMs through remote desktop protocol (RDP) or SSH without exposing them to the internet.

  • Microsoft Defender Antivirus in Windows provides anti-malware services. It's part of Windows 10, Windows 11, Windows Server 2016, and Windows Server 2019.

  • Encryption at host is an optional enhancement to Azure managed disks that provides end-to-end encryption for VM data, including temporary disks and disk caches, for supported VM sizes. Azure managed disks are encrypted at rest by default with server-side encryption (SSE).

  • Key Vault is a service for storing keys, secrets, and certificates with FIPS 140-2 Level 2 or 3.

  • Azure Front Door is a content delivery network (CDN). It combines multiple points of presence to deliver a better connection for users who access the service. It also adds Azure Web Application Firewall.

  • API Management is a service that provides security for API calls and manages APIs across environments.

  • Azure RBAC helps you manage access to Azure services by using granular permissions that are based on users' Microsoft Entra credentials.

  • Microsoft Entra multifactor authentication provides other types of authentication beyond user names and passwords.

  • Privileged Identity Management (PIM) helps you to provide superuser privileges temporarily for Microsoft Entra ID (for example, User Administrator) and Azure subscriptions (for example, Role Based Access Control Administrator or Key Vault Administrator).

  • Conditional Access is an intelligent security service that uses policies that you define for various conditions to block or grant user access.

Scenario details

Pre-breach controls are designed to reduce attack surface, eliminate common misconfigurations, and block attackers before an intrusion begins. These controls align closely with Microsoft Zero Trust principles. Zero Trust is based on the philosophy that no resource is implicitly trusted and access is continuously verified.

The goal of this article is to show how you can combine foundational Azure security services to disrupt common ransomware entry points identified in the threat map in the first article in this series, Map threats to your IT environment.

As pointed out in that article, ransomware attacks rarely start with sophisticated exploits. In most real-world incidents, attackers succeed because of:

  • Exposed services.
  • Weak identity controls.
  • Excessive privileges.
  • Flat networks.
  • Unencrypted data paths.

The controls described in this article aren't advanced detection or response tools. Instead, they form the baseline security posture that makes ransomware campaigns significantly harder to run.

When these controls are missing or misconfigured, attackers often succeed before detection tools even have a chance to send alerts.

Azure Security Benchmark

Each security control in the Azure Security Benchmark refers to one or more specific Azure security services. The architecture reference in this article shows some of them. The controls include:

  • Network security.
  • Identity management.
  • Privileged access.
  • Data protection.
  • Asset management.
  • Logging and threat detection.
  • Incident response.
  • Posture and vulnerability management.
  • Endpoint security.
  • Backup and recovery.
  • DevOps security.
  • Governance and strategy.

For more information about security controls, see Overview of the Azure security controls (v3).

Potential use cases

This article organizes Azure security services by resource type so you can directly map them to ransomware techniques identified earlier, such as:

  • Initial access through exposed services.
  • Credential theft and brute-force attacks.
  • Lateral movement across networks.
  • Unauthorized access to data stores.

The architecture diagram at the start of this article highlights how these services protect identities, networks, compute, applications, and data before an attacker establishes persistence.

Contributors

Microsoft maintains this article. The following contributors wrote this article.

Principal author:

Other contributors:

To see nonpublic LinkedIn profiles, sign in to LinkedIn.

Next steps

This article focuses on preventing attacks before they start by applying foundational Azure security controls.

The next article in the series assumes that some attacks will still succeed and focuses on:

  • Advanced threat detection.
  • Behavioral analytics.
  • Incident response and investigation.

For more information about this reference architecture, see the other articles in this series: