Azure Shared Responsibility Model: Real World Examples & Best Practices

Cloud security is pivotal for organizations to protect their business data, reduce data theft, and meet compliance requirements. To secure your data in the cloud, including Microsoft Azure, you need to consider the shared responsibility model, where the cloud provider handles some security tasks while the customer manages others. These tasks vary depending on whether the hosted workload is implemented using software as a service (SaaS), platform as a service (PaaS), or infrastructure as a service (IaaS). 

The shared responsibility model is a cloud security framework that outlines cloud providers’ and customers' security obligations and responsibilities for ensuring accountability. In this arrangement, cloud providers are responsible for the security of the cloud, while customers handle the security in the cloud. For example, when customers run their workload on Azure Virtual Machines (VM), Microsoft secures the underlying compute services infrastructure, including the hypervisor, server hardware, and physical facilities. Customers are responsible for updating guest operating systems and applying security patches. 

Simply put, cloud security is a shared responsibility between cloud providers and customers.

This article explains the shared responsibility model and provides examples of how customers should leverage the model to secure their data in Azure and Office 365. This article also recommends deployment best practices.

Division of Responsibilities

Figure 1: Microsoft Shared Responsibility Model (Source)

Compared to on-premises deployments, where customers are responsible for securing the whole stack, the SaaS, PaaS, and IaaS deployments transfer some responsibilities to Microsoft.

Responsibilities Under SaaS

In a SaaS deployment (e.g., Exchange Online, SharePoint Online, or Teams), Microsoft is responsible for securing the application, network control, operating system, physical hosts, physical networks, and physical data center. In contrast, customers are responsible for information and data classification, device security, and accounts and identities, e.g., password complexity and multi-factor authentication (MFA). 

In addition, Microsoft and customers share identity and directory infrastructure responsibility. To illustrate, let’s take the example of MFA. Microsoft ensures that the MFA service is up and running, while customers are responsible for enabling users for MFA. As a result, healthy and responsive MFA policies applied to Azure Active Directory (AD) users will provide secure access to business applications and data. 

Responsibilities under PaaS

In a PaaS deployment (e.g., Azure SQL or Web Apps), Microsoft handles the operating system's security, physical hosts, physical networks, and physical data center. Customers are responsible for information and data classification, device security, accounts, and identities. PaaS shared responsibilities include identity and directory infrastructure, applications, and network controls. For example, Azure SQL customers have granular control over identity security and access. Azure SQL customers can also configure allowed and restricted networks.

Responsibilities under IaaS

In an IaaS deployment (e.g., Azure VM), customers' security responsibilities increase to include seven of the ten responsibilities defined in the Microsoft Shared Responsibility Model. Microsoft is only responsible for securing physical hosts, networks, and the data center. Customers are responsible for securing the operating system, network control, applications, identity and directory infrastructure, accounts and identities, devices, and information and security.

Common responsibilities for all service types

In all SaaS, PaaS, and IaaS deployments, Microsoft is always responsible for securing the physical layer of the service. Namely, Microsoft handles the security of the physical hosts, networks, and data centers.

Similarly, in SaaS, PaaS, and IaaS deployments, customers are always responsible for securing the data and identities. In other words, customers ensure that information, data, devices, accounts, and identities are secure. 

The table below summarizes the common Microsoft and customer responsibilities in SaaS, PaaS, and IaaS deployment models.

Microsoft Responsibility	Customer Responsibility
Physical host	Information and data
Physical network	Devices (mobile and PCs)
Physical datacenter	Accounts and identities

Table 1: Microsoft and customer responsibilities in SaaS, PaaS, and IaaS

Details of customer responsibilities

As explained above, customers are always responsible for securing their information, data, devices, accounts, and identities, regardless of the cloud deployment model used. This section outlines a few examples of how customers should leverage the shared responsibility model to secure their workloads in Azure and Office 365. 

Information and data

Customers store sensitive, personal, and private information and data in Azure and Office 365. They are responsible for selecting the appropriate storage type and encryption method in Azure, applying data loss prevention (DLP) policies to protect sensitive data in Office 365, and implementing the required inbound and outbound access rules to secure network access.

For the most part, Microsoft is responsible for service availability and reliability, providing logs, and reporting. 

The table below lists a few examples of Microsoft’s and customers’ responsibilities in securing information and data in the cloud. 

Area	Microsoft Responsibility	Customer Responsibility
Data Storage	Storage account service availability Generation of security access keys Secure local and geo-replications	For data encryption, use the default Microsoft encryption keys or your own. Figure 2 below shows the two options. Select the correct storage type for your data (blobs, file shares, queues, or tables).  Configure appropriate security and network options. Enable audits and create alert rules.
Data Loss Protection	Service Availability Integrated policy templates  Logs, reports, and notifications	Apply, test, and deploy email and sensitive data DLP policies in Office 365 tenants.  Investigate false positives and fine-tune DLP policies accordingly. Monitor incident reports and assess potential risks.
Network Access	NSG and firewall service availability	Security rules in network security groups (NSGs) enable customers to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces. The default NSG inbound rules allow traffic to flow to all subnets in the virtual network. However, the rules block external traffic. Customers are required to configure inbound rules to meet their security requirements. For example, VMs hosting SQL servers should only talk to VMs hosting applications servers. VMs hosting websites should have inbound ports 80 and 443 from the internet. PaaS services (e.g., Azure SQL) support granular firewall configurations, including virtual network and firewall rules. Figures 3 and 4 show NSG and Azure SQL networking configuration options.

Table 2: Microsoft and customer responsibilities in securing information and data in the cloud

Figure 2: Storage account encryption types

Figure 3: NSG inbound and outbound rules

Figure 4: Azure SQL networking options

Devices

Endpoint security is paramount to protecting customers' cloud environments, which makes Microsoft Intune a key pillar in the Microsoft cloud stack. With Intune, customers can assess compliance readiness and apply security updates on devices registered and joined via Azure AD. In addition, Azure AD conditional access ensures that only compliant and secure devices can connect to Azure and Office 365. 

Implementing Intune, Azure AD conditional access, and device registration are all the responsibility of customers. Microsoft handles service availability and reliability, logs, and reporting. 

The table below provides more details on Microsoft and customer responsibilities for securing devices in the cloud. 

Area	Microsoft Responsibility	Customer Responsibility
Device Access	Service Availability Azure AD integration with Intune Backend compliance checks Logs and reports	Register devices with Azure AD and implement Intune device-based conditional access. Only compliant devices, such as those running Windows 10, iOS, Android, and macOS, are allowed to access cloud resources. Monitor, assess, and fine-tune device and application policies. For example, device access requirements settings are shown in Figure 5.
Device and Data Protection	Service Availability Integrated capabilities Logs and reports	Deploy device configuration and compliance policies to control what users do with managed and unmanaged devices.  Block access to business data from devices that might be compromised.  Apply device encryption and MFA authentication.  Manage software updates, and apply device security baselines.

Table 3: Microsoft and customer responsibilities in securing devices in the cloud

Figure 5: Intune device access requirements settings

Accounts and identities

Identity is the new security perimeter of the cloud. Azure AD is the Microsoft cloud-based directory service that manages authentication and authorization for Microsoft cloud services such as Office 365, Intune, and Dynamics 365.

Microsoft is responsible for providing reliable, robust, available, and scalable directory service for customers to securely access their cloud-hosted business applications. For example, Azure AD Connect (AADC) supports password hash synchronization, passthrough authentication, and federation. Azure AD MFA prompts users during the sign-in process for an additional form of identification, such as entering a verification code sent to their cell phone or a fingerprint scan. Azure AD Conditional Access takes this to the next level by granting or blocking access based on defined security criteria such as location or device compliance. Finally, Azure AD privileged identity management (PIM) provides just-in-time privilege access to Azure AD and resources that provide identity governance.

Azure AD customers are responsible for implementing a robust authentication mechanism, applying security policies, monitoring, and auditing sign-ins in their environment. 

The table below lists a few examples of Microsoft’s and customers’ responsibilities in securing accounts and identities in the cloud. 

Area	Microsoft Responsibility	Customer Responsibility
Identity protection Leaked credentials Sign-in from anonymous IP addresses Impossible travel to atypical locations (such as signing in from the US and Europe within the same hour) Sign-in from unfamiliar locations Sign-in from infected devices Sign-in from IP addresses with suspicious activity	Service Availability Logs and reports	Customers must monitor and take action if users' credentials are compromised, users sign in from risky locations, or their devices are infected. In addition, customers need to have security measures in place to safeguard access to cloud resources. For example, implement Azure AD Conditional Access and force users to change their passwords if their credentials have been leaked. Also, block access in the case of impossible travel to atypical locations. Figure 6 shows the Azure AD identity protection policies.  Figure 7 shows the Azure AD identity protection dashboard. Note: Leaked credential reporting requires password hash sync if Azure AD is integrated with Windows AD. Identity protection requires Azure AD Premium licenses.
Least privilege	PIM and role-based access control (RBAC) service availability	Implement Azure AD PIM.  Set policies and assign them to users and groups. Monitor and audit usage in the environment. Use RBAC, the authorization system built on Azure, to provide fine-grained access to Azure and Office 365 resources.  Figure 8 shows Azure AD PIM configuration settings.
Azure AD SSO	Service availability Integrated apps	Apply Azure AD single sign-on (SSO) to secure access to enterprise applications.  Onboard and offboard access to business applications from a central place. This master repository can be Azure AD or Windows AD.

Table 4: Microsoft and customer responsibilities in securing accounts and identities in the cloud

Figure 6: Azure AD Identity protection policies

Figure 7: Microsoft identity protection dashboard

Figure 8: Azure AD PIM configuration settings

Recommendations and best practices

The following are a few recommendations and best practices for taking care of the customer responsibilities in the shared responsibility model in Azure.

• Use appropriate storage types in Azure, and configure encryption, security, and network access options that suit your business. 
• Apply DLP policies to sensitive data.
• Implement secure inbound and outbound rules and configure firewall policies for IaaS and PaaS services in Azure.
• Use Microsoft Intune for Mobile Device Management (MDM) and Mobile Application Management (MAM) solutions.
• Enable identity protection in Azure AD; monitor, assess, and alert the user about sign-in risks.
• Implement Azure AD PIM for just-in-time privilege access and identity governance.
• Implement Azure AD SSO, conditional access, and MFA.
• Use the Azure security center (now known as Defender for Cloud) to find and fix vulnerabilities, block malicious access, and alert you when your resources are under attack.

Conclusion

Understanding the shared responsibility model is vital for organizations hosting workloads in the cloud. The security features available in the cloud can provide greater security than on-premises as long as they are effectively utilized. Microsoft delivers robust and scalable security solutions in Azure and Office 365. Customers must assess and apply appropriate security measures to protect their information, data, devices, accounts, and identities.