How does your company understand the quality of their security posture against security controls that are possible to configure within Azure?

One way of looking at this issue is by using the Azure Security Center Secure Score.

• Secure Score measures what you have done to secure your environment compared to what you can do
• Your secure score will change depending on what resources are deployed in a subscription
• Two organizations can only have the same secure score if they have the same resources deployed with the same security configuration
• Secure Score will change as new security configuration options become available over time

There quite a few built-in Azure services that would help you secure any hybrid environments and help you improve you Secure Score, as you can see from the diagram below.

Security controls are designed to ensure technology solutions are built and maintained in ways that ensure function and security successfully coexist. This ideal holds strong in Azure where Microsoft is constantly vetting and monitoring the implementation of their security controls, as well as watching their service teams continue to innovate new functionality in the cloud environment. With that said, the cloud presents a spectrum of responsibilities based on what types of services and/or features a customer may be consuming. This is unlike more traditional on-premises information systems where most, if not all, security is implemented by the same owner.

As organizations move from IaaS, to PaaS and then to SaaS, you’ll find that they are responsible for less and the cloud service provider is responsible for more.

The figure below describes how shared responsibility works across the cloud service models.

Make sure you understand you role in this complex paradigm that is cloud computing and don’t assume the Cloud provider will manage all security aspects of your environment!