Security models: Zero Trust, defense-in-depth

Azure identity, access, and security

📘Microsoft Certified: Azure Fundamentals (AZ-900)

Microsoft Azure emphasizes strong security practices to protect your resources, users, and data. Two important security models you need to know for the exam are:

  1. Zero Trust Security Model
  2. Defense-in-Depth Security Model

We’ll explain each in simple terms and show how they apply in IT environments.

1. Zero Trust Security Model

Definition:
Zero Trust is a security model based on the principle “Never trust, always verify.”
This means no user or device is automatically trusted, even if they are inside the network. Every request to access resources is continuously verified.

Key Principles of Zero Trust in Azure:

  1. Verify Explicitly:
    • Every access request must be verified using multiple factors: identity, device health, location, and data sensitivity.
    • Example in IT: When a user logs into Azure, Azure Active Directory (Azure AD) can require Multi-Factor Authentication (MFA) to confirm their identity.
  2. Use Least Privilege Access:
    • Users and apps get only the access they need—no more.
    • Example: A finance employee can access the financial database but cannot access HR or IT systems.
  3. Assume Breach:
    • The system assumes that attackers may already be inside, so all traffic is monitored and logged.
    • Example: Azure monitors unusual login activity and can trigger alerts or block access automatically.

Azure Tools Supporting Zero Trust:

  • Azure Active Directory (Azure AD): Identity and access management with conditional access policies.
  • Microsoft Defender for Cloud: Monitors for suspicious activity and threats.
  • Azure Information Protection: Protects sensitive data, ensuring only authorized users can access it.

Why it matters for the exam:

  • Know the definition, principles, and examples of Zero Trust.
  • Understand that it does not assume internal users are trusted, which is a key difference from traditional models.

2. Defense-in-Depth Security Model

Definition:
Defense-in-depth is a layered security approach. It protects systems by using multiple security measures at different levels, so if one layer fails, others still protect your resources.

Layers of Defense-in-Depth in Azure:

  1. Physical Layer:
    • Protection of physical data centers with security personnel, cameras, and access controls.
    • Azure handles this, so you don’t need to manage it directly.
  2. Network Layer:
    • Protects data traveling in your network.
    • Tools: Network Security Groups (NSGs), Azure Firewall, VPN Gateway.
  3. Identity Layer:
    • Protects user accounts and access.
    • Tools: Azure AD, Conditional Access, MFA.
  4. Application Layer:
    • Ensures apps are secure and cannot be exploited.
    • Tools: Azure Web Application Firewall, Azure Security Center.
  5. Data Layer:
    • Protects stored data through encryption and access control.
    • Tools: Azure Storage encryption, Azure Key Vault.

Example in IT:
Even if someone bypasses the network firewall, they still need the correct Azure AD credentials. If they steal credentials, sensitive files are still encrypted. This way, multiple layers protect the resources.

Why it matters for the exam:

  • Know the definition of defense-in-depth.
  • Be able to identify the layers and Azure tools that protect each layer.
  • Understand that multiple layers of security provide stronger protection than relying on a single method.

Zero Trust vs Defense-in-Depth

FeatureZero TrustDefense-in-Depth
Core IdeaNever trust, always verifyMultiple security layers protect assets
FocusIdentity, device, access policiesMultiple layers: network, app, data, identity
Example in AzureConditional Access, MFANSG, Firewall, Key Vault, Encryption
AssumptionInternal networks may be compromisedFocuses on preventing breaches at multiple levels

Key Point for Exam:

  • Zero Trust focuses on who and what is accessing resources.
  • Defense-in-Depth focuses on layers of protection across the system.
  • Both models are used together in Azure to enhance security.

Summary for Exam Preparation

  1. Zero Trust:
    • Always verify every user/device.
    • Use least privilege access.
    • Assume breaches can happen.
    • Azure tools: Azure AD, Conditional Access, MFA, Defender for Cloud.
  2. Defense-in-Depth:
    • Use multiple layers of protection: physical, network, identity, application, data.
    • Protect resources even if one layer fails.
    • Azure tools: NSG, Azure Firewall, Key Vault, Encryption, Security Center.
  3. Remember: Both models are complementary and widely used in Azure to protect cloud resources.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by