SkarpSkarp

Chapter 19 of 20

Security, Defense in Depth, and Microsoft Defender for Cloud (Conceptual)

Layer security controls across identity, network, data, and applications, and see where Microsoft Defender for Cloud fits into Azure’s security story.

27 min readen

Big Picture: Security in Azure and Defense in Depth

Three Big Ideas

You will connect three ideas: the shared responsibility model, the defense in depth concept, and how Microsoft Defender for Cloud fits into Azure’s security story.

Public Cloud Context

Azure is a public cloud: a provider-owned infrastructure delivering computing resources over the public internet to many tenants. Microsoft runs the platform; you deploy your workloads.

Shared Responsibility

The shared responsibility model defines how security and compliance duties are divided: Microsoft secures the cloud; you secure what you put in the cloud (accounts, data, apps, settings).

Defense in Depth Role

Defense in depth organizes your responsibilities across layers (identity, network, data, apps). Microsoft Defender for Cloud helps you see how secure those layers are and what to improve.

Defense in Depth: The Layered Security Model

What Is Defense in Depth?

Defense in depth is a strategy of using multiple, layered security controls so that if one control fails, others continue to protect your assets.

Castle / Onion Analogy

Think castle: outer walls (network), guards at the gate (identity), locked rooms (data protections), and internal rules (governance and monitoring).

Azure Security Layers

Key layers: physical (Microsoft), perimeter/network, identity and access, application, data, and governance/monitoring. These layers overlap rather than replace each other.

Exam Signal

If a scenario mentions “multiple independent protections” or “layers of controls,” it is usually describing or testing your understanding of defense in depth.

Shared Responsibility Meets Defense in Depth

Service Models Recap

IaaS, PaaS, and SaaS differ in who manages what. As you move from IaaS to SaaS, Microsoft manages more, and you manage less of the stack.

Layers and Responsibility

Physical is always Microsoft. Network is shared. Identity, apps, data, and governance are always your responsibility, even when Microsoft supplies the tools.

Defender for Cloud’s Focus

Microsoft Defender for Cloud mainly analyzes your resources and configurations, highlighting weaknesses in your layers and suggesting fixes.

Exam Angle

On AZ-900, be ready to answer who is responsible for which layer, and which Azure service (like Defender for Cloud) helps you manage your side of the responsibilities.

Identity Layer: Microsoft Entra ID, RBAC, and Access Controls

Identity as the Perimeter

In cloud, attackers often target credentials. The identity layer becomes your first line of defense instead of just the network firewall.

Microsoft Entra ID

Microsoft Entra ID is Microsoft’s cloud-based identity and access management service used to sign in to Azure, Microsoft 365, and many SaaS apps.

RBAC for Authorization

role-based access control (RBAC) provides fine-grained access to Azure resources based on roles assigned to users, groups, and service principals.

Identity Controls and Defender

Controls include MFA, least-privilege RBAC, and just-in-time access. Microsoft Defender for Cloud flags weak identity setups, such as missing MFA on admins.

Network and Perimeter Layer: Isolating and Filtering Traffic

Network Layer Goal

The network layer controls how traffic flows to, from, and inside your Azure environment. Expose only what is necessary to reduce attack surface.

Key Network Controls

VNets/subnets isolate resources; NSGs filter traffic; Azure Firewall provides centralized firewalling; DDoS Protection and WAF defend public endpoints and web apps.

Exam Traps

Need to allow/deny ports for a VM? Think NSGs. Need centralized, advanced firewalling and threat intel? Think Azure Firewall.

Defender for Cloud’s Role

Defender for Cloud flags risky network setups, like open RDP/SSH to the internet, and suggests network hardening steps.

Data and Application Layers: Protecting What Really Matters

Why Data and Apps Matter Most

Attackers usually target data or application control. These layers are where many defense in depth controls focus in Azure.

Data Layer Controls

Use encryption at rest and in transit, strict access controls, and reliable backups and recovery to protect the confidentiality and availability of data.

Application Layer Controls

Secure PaaS configurations, validate inputs, avoid secrets in code, and use WAF to defend against common web attacks.

Defender for Cloud Support

Defender for Cloud flags misconfigurations (like public storage) and works with Defender plans (for SQL, Storage) to detect suspicious data and app activity.

Governance, Azure Policy, and Security Posture

Governance in Defense in Depth

Governance ensures your environment continues to follow your security rules over time, not just at initial deployment.

Azure Policy Definition

Azure Policy lets you create, assign, and manage policies that enforce rules and effects so resources stay compliant with standards and SLAs.

Security Posture and Secure Score

Security posture is your overall security health. Defender for Cloud expresses this as a secure score based on implemented recommendations.

Exam Mapping

Enforce or audit rules across resources? Think Azure Policy. View secure score and prioritized recommendations? Think Microsoft Defender for Cloud.

Microsoft Defender for Cloud: What It Is and What It Does

High-Level View

Microsoft Defender for Cloud is a cloud-native security posture management and threat protection solution for Azure and, optionally, hybrid and multi-cloud.

Posture Management

It continuously assesses resources, calculates a secure score, and provides prioritized security recommendations based on best practices and policies.

Defender Plans

Optional Defender plans (for Servers, SQL, Storage, etc.) add deeper workload protection and threat detection capabilities.

Key Integrations

Defender for Cloud uses Azure Policy for compliance checks and can send alerts into Azure Monitor, fitting into your broader monitoring and governance strategy.

Walkthrough Example: Hardening a Simple Azure Web App with Defense in Depth

Scenario Overview

You deploy an Azure App Service web app, an Azure SQL Database, and Azure Storage for images. How do you apply defense in depth and use Defender for Cloud?

Identity and Network

Identity: use Microsoft Entra ID, MFA, and least-privilege RBAC. Network: restrict database to the web app and avoid public storage unless necessary.

Data and Application

Data: enable TDE, encryption at rest, and backups. Apps: enforce HTTPS and keep secrets out of code by using Key Vault or managed identities.

Governance and Defender

Governance: use Azure Policy to enforce HTTPS and limit public storage. Defender for Cloud then scores your setup and recommends hardening steps.

Layer-Mapping Thought Exercise

Work through these quick scenarios and decide which defense in depth layer is most directly involved, and which Azure tool is the best fit. Then compare your reasoning with the guidance.

  1. Scenario 1: You discover that a developer accidentally created a storage account that allows anonymous public access to blobs.
  • Question A: Which layer is this mainly about (identity, network, data, app, governance)?
  • Question B: Which Azure service would you use to enforce a rule preventing public access on new storage accounts?
  1. Scenario 2: A security lead wants a single dashboard showing how secure your subscriptions are and which actions to take first.
  • Question A: Which layer or concept is this mainly about (governance/monitoring vs. network vs. identity)?
  • Question B: Which Azure service provides this dashboard with secure score and recommendations?
  1. Scenario 3: You need to ensure that only certain admins can create or delete resource groups in a subscription.
  • Question A: Which layer is this primarily about?
  • Question B: Which feature does Azure provide to control who can perform these actions?

Suggested answers (self-check)

  1. Scenario 1: A) Data layer (how data is exposed), with some governance. B) Azure Policy enforcing no public access.
  2. Scenario 2: A) Governance/monitoring and overall security posture. B) Microsoft Defender for Cloud.
  3. Scenario 3: A) Identity and access. B) RBAC roles in Microsoft Entra ID / Azure Resource Manager.

If you mis-mapped any, review the relevant layer’s step before moving on.

Quick Check: Concepts and Tools

Test your understanding of defense in depth and Microsoft Defender for Cloud.

Which statement best describes the role of Microsoft Defender for Cloud in Azure security?

  1. It automatically encrypts all data and blocks all suspicious traffic without configuration.
  2. It provides security posture management with secure score and recommendations, and can add threat protection through Defender plans.
  3. It replaces Network Security Groups and Azure Firewall as the primary network security control.
  4. It is only used to manage user identities and multi-factor authentication settings.
Show Answer

Answer: B) It provides security posture management with secure score and recommendations, and can add threat protection through Defender plans.

Microsoft Defender for Cloud focuses on security posture management (secure score, recommendations) and, with optional Defender plans, adds threat protection for workloads. It does not automatically fix everything, does not replace NSGs or Azure Firewall, and it is not an identity-only tool.

Quick Check: Defense in Depth Layers

Apply your knowledge of layers and tools to a scenario.

You need to ensure that all new storage accounts in your subscription require secure transfer (HTTPS only). Which combination best matches the defense in depth layer and Azure service you should use?

  1. Network layer, Microsoft Defender for Cloud
  2. Data layer, Azure Backup
  3. Governance layer, Azure Policy
  4. Identity layer, Microsoft Entra ID
Show Answer

Answer: C) Governance layer, Azure Policy

Requiring HTTPS for storage accounts is a configuration rule that affects how data is accessed. Enforcing this rule across the subscription is a governance task, and Azure Policy is the service designed to enforce such configuration rules.

Key Terms Review: Security and Governance

Use these flashcards to reinforce the core concepts for AZ-900 related to this module.

Defense in depth
A security strategy that uses multiple, layered security controls (identity, network, data, apps, governance, etc.) so that if one control fails, others still protect the environment.
shared responsibility model
The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.
Microsoft Entra ID
Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
role-based access control (RBAC)
Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
Azure Policy
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
Microsoft Defender for Cloud
An Azure-native security posture management and threat protection solution that continuously assesses resources, provides secure score and recommendations, and can add workload protection through Defender plans.
Security posture / secure score
Security posture is your overall security health across resources and configurations. In Azure, Microsoft Defender for Cloud expresses this as a secure score based on implemented security recommendations.
Network Security Group (NSG)
A network-level security control that filters inbound and outbound traffic to Azure resources using rules based on source, destination, port, and protocol.

Wrap-Up: Connect to Your AZ-900 Study Plan

To consolidate this module, take a minute to connect the concepts to how you will see them on AZ-900 and in real Azure use.

  1. Self-explanation (1–2 minutes)

In your own words (out loud or in notes), answer:

  • What is defense in depth, and why is it important in cloud environments?
  • How does Microsoft Defender for Cloud help you improve your security posture?
  • Give one example each of an identity, network, data, and governance control in Azure.
  1. Common exam traps to watch for
  • Confusing Azure Policy (enforce/audit configuration rules) with Defender for Cloud (assess posture, secure score, recommendations).
  • Thinking Microsoft fully secures everything in the cloud. Remember the shared responsibility model: you always own identity, data, and configuration.
  • Mixing up identity tools: Microsoft Entra ID handles authentication/authorization; RBAC defines what a user can do with Azure resources.
  1. Next steps in this Skarp course
  • Take the next diagnostic to see how well you can map scenarios to the right security layer and tool.
  • Use the upcoming mock exam to pressure-test these concepts under time limits.
  • After your next attempt, review the gap guide, which will go deeper into whichever security and governance topics you struggled with.

If any concept still feels fuzzy (for example, secure score vs. Azure Policy, or NSG vs. Azure Firewall), mark it for review so it surfaces again in your spaced repetition queue.

Key Terms

Azure Policy
Azure Policy is a service in Azure that you use to create, assign, and manage policies that enforce rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
hybrid cloud
A hybrid cloud is a computing environment that combines public and private clouds, allowing data and applications to be shared between them.
public cloud
A public cloud is a cloud deployment model in which a cloud provider owns and operates the infrastructure and delivers computing resources over the public internet to multiple tenants.
secure score
A metric in Microsoft Defender for Cloud that quantifies your security posture based on implemented security recommendations.
private cloud
A private cloud is a cloud deployment model in which cloud resources are used exclusively by a single organization, either hosted on-premises or by a third-party provider.
cloud computing
Cloud computing is the delivery of computing services over the internet, enabling faster innovation, flexible resources, and economies of scale.
defense in depth
A layered security strategy that uses multiple, overlapping controls (identity, network, data, application, governance, etc.) so that if one control fails, others still protect the environment.
security posture
The overall status of an organization’s security controls and readiness, often summarized in Azure by Microsoft Defender for Cloud’s secure score.
Microsoft Entra ID
Microsoft Entra ID is Microsoft’s cloud-based identity and access management service that helps employees sign in and access resources such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
shared responsibility model
The shared responsibility model is a framework that defines how security and compliance responsibilities are divided between the cloud provider and the customer.
Microsoft Defender for Cloud
An Azure-native security posture management and threat protection solution that continuously assesses resources, provides secure score and recommendations, and can add workload protection through Defender plans.
Network Security Group (NSG)
An Azure network security feature that filters inbound and outbound traffic to resources using rules based on source, destination, port, and protocol.
Platform as a Service (PaaS)
Platform as a Service (PaaS) is a cloud service model that provides a complete development and deployment environment in the cloud, including infrastructure, middleware, and development tools.
Software as a Service (SaaS)
Software as a Service (SaaS) is a cloud service model that delivers software applications over the internet on a subscription basis.
role-based access control (RBAC)
Role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources based on roles assigned to users, groups, and service principals.
Infrastructure as a Service (IaaS)
Infrastructure as a Service (IaaS) is a cloud service model that provides virtualized computing resources such as servers, storage, and networking on demand.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself