End-to-End Security in Azure with Encryption, Confidential Computing, and Zero Trust

Your Security Guide for the Azure Cloud

There are a wide variety of services and mechanisms available to improve the security of your cloud environment. This blog post is designed to help you quickly understand the key concepts and mechanisms. Your data is one of the most sought-after targets for attackers, so you inevitably need to address this topic.

For this reason, the focus of this blog post—alongside Azure-specific mechanisms—is on principles, methods, and services that enable greater security in your Azure Cloud.

Fundamentally, there are 3 pillars for protecting your data:

• Data at Rest (Storage): Protecting stored data, even if the underlying infrastructure were compromised.
• Data in Transit (Transmission): Ensuring that information cannot be intercepted or tampered with during transfer.
• Data in Use (Processing): Securing sensitive data while it is actively being processed in memory or on the processor.

Microsoft Azure provides a wide range of security services and technical mechanisms for each of these phases, from default encryption to private networking to Confidential Computing. Together, they enable an end-to-end security concept that helps organizations comply with regulatory requirements, minimize risks, and strengthen the trust of customers and partners.

In the following sections, we will dive deeper into these three areas, highlight concrete Azure technologies, and show how data can be comprehensively protected.

What does cloud security in Azure look like?

Cloud security is one of the central prerequisites for digital transformation. With Microsoft Azure, organizations have access to a platform that is designed to be secure from the ground up, while also providing flexible tools to individually secure applications, data, and networks.

Microsoft structures its security services in Azure across three functional areas that together represent a defense-in-depth strategy—i.e., a multi-layered security concept:

• Secure and Protect: This involves preventive defense with security controls that safeguard identities, hosts, networks, and data.
• Threat Detection: If threats cannot be defended against preventively, a rapid response to unusual behavior is required. Dedicated services such as Microsoft Sentinel, Defender for Cloud, or Application Insights/Azure Monitor exist to identify these unusual activities.
• Investigate and Respond: After detection comes the response to unusual activities with the isolation of attack vectors and documentation of the root causes.

For these functional areas to work effectively, it is advisable to implement consistent standards and best practices. With the Cloud Security Benchmark, there are helpful guides available for establishing a solid foundation for your cloud security at both the platform and app levels.

To provide a brief overview of the available security features in the Azure Cloud, we will now look at the areas of operations, applications, storage, network, compute, and identity.

Operational Security

Azure offers a wide range of integrated services that support IT teams in detecting, analyzing, and mitigating threats.

• Microsoft Sentinel: A cloud-native SIEM and SOAR service that detects attacks, analyzes threats, and enables automated responses.
• Defender for Cloud: Provides visibility, policy management, and threat detection for all Azure resources.
• Azure Resource Manager: Standardized, template-based deployments minimize configuration errors in security settings.
• Application Insights & Azure Monitor: Comprehensive monitoring, diagnostics, and forensic analysis of applications and infrastructure.
• Azure Advisor: AI-driven recommendations to improve performance, security, and cost management.

Application Security

To secure workloads at the application level, Azure provides the following services and solutions:

• Web Application Firewall (WAF): Protection against OWASP Top 10 attacks such as SQL injection or XSS.
• App Service Authentication: Integrated authentication/authorization without additional backend code.
• Multi-tier security architectures: Isolation for Azure services with fine-grained access controls.
• Advanced diagnostics: Logging and tracing simplify root cause analysis in case of errors or attacks.
• Penetration testing rules: Azure allows customer-conducted testing of their own applications within clearly defined guidelines.

Data Security

To securely access stored data, the following features are available:

• Shared Access Signatures (SAS): Time-limited, delegated access to storage resources.
• Encryption: Protection during transmission (TLS, SMB 3.0, client-side) and at rest (Storage Service Encryption, Disk Encryption for VMs).
• Storage Analytics: Logging of access and errors for traceability.
• CORS support: Enables secure cross-origin access for browser-based applications.

Network Security

The network layer of your Azure Cloud environment forms the foundation for protecting your data and services from unauthorized access. For this reason, you can use the following services to restrict or block network traffic:

• Network Security Groups (NSG): Stateful packet filtering at the subnet or VM level.
• Azure Firewall: Scalable firewall-as-a-service with L3–L7 filtering and premium IDPS.
• Azure DDoS Protection: Defense against volumetric attacks with rapid response and cost protection options.
• Route control & forced tunneling: Ensures secure data flow through security appliances.
• Azure Virtual Network Manager: Central enforcement of security policies at the network level.
• Private Link: Secure, private endpoints for PaaS services without exposure to the public internet.
• VPN Gateway & ExpressRoute: Encrypted connections or dedicated WAN links for hybrid environments.
• Load Balancer, Application Gateway, Front Door & Traffic Manager: Highly available and intelligent routing.
• Azure DNS & internal DNS: Management and security of name resolution.
• Advanced Container Networking Services (ACNS): Security and visibility for Kubernetes clusters.

Compute Security

Your applications and services need to be deployed on virtual machines or other Azure compute services. For this reason, you must also address the security of your workloads. Below is an initial selection of protection features:

• Azure Confidential Computing: Encrypted processing of sensitive data, even in memory.
• Antimalware integration: Protection through Microsoft and third-party solutions.
• Key Vault with HSM support: Secure storage and management of cryptographic keys.
• Backup & Site Recovery: Protection against data loss and outages through automated replication and recovery.
• SQL and disk encryption: Integration with Key Vault for centralized key storage.
• Patch and update management: Automated protection against known vulnerabilities.

Identity and Access Management

To restrict user access to data and services, Microsoft Entra ID serves as the central IAM platform of your Azure Cloud. The following functions represent an initial selection:

• Multi-Factor Authentication (MFA) and Microsoft Authenticator to secure accounts.
• Password policies and token-based authentication for robust access control.
• Role-Based Access Control (RBAC) for fine-grained permission assignment.
• Hybrid identity to ensure consistent identities across on-premises and cloud.
• Identity Protection and Privileged Identity Management (PIM) to minimize risks.
• B2B and B2C collaboration for secure partner and customer integration.
• Application Proxy for secure remote access to on-premises applications.

These examples from the areas of operations, applications, storage, network, compute, and identity serve as a brief overview of the many mechanisms, services, and solutions already integrated into the Azure Cloud. In the following chapters, we will look at more specific solutions and services, so this list should not be understood as a complete feature set.

Shared Responsibility in the Cloud

Moving to the cloud does not mean that organizations hand over all of their security responsibilities to the provider. Instead, cloud security follows the Shared Responsibility Model. This model clearly defines which security tasks are the responsibility of the cloud provider and which remain with the customer. This means all key decisions regarding technologies, safeguards, and preventive measures remain part of the customer’s responsibilities.

In an on-premises IT environment, organizations are responsible for the entire infrastructure, including physical security of data centers, networks, hardware, virtualization, operating systems, middleware, applications, data, identities, access control, and endpoints.

With the move to the cloud, this burden shifts. The physical provisioning and maintenance of hardware, networks, and core infrastructure is fully operated and secured by Microsoft. However, organizations still retain key responsibilities such as data and identity protection, endpoint security, access control, and configuration management.

The advantage of cloud solutions, however, is that—depending on the chosen cloud model—you can offload more responsibility:

• Infrastructure-as-a-Service (IaaS): Microsoft secures the infrastructure (data center, hardware, virtualization). Customers remain responsible for OS patches, network configurations, applications, identities, and data.
• Platform-as-a-Service (PaaS): The customer’s responsibility shifts more toward applications and data. Microsoft additionally manages the operating system, platform services, and their security.
• Software-as-a-Service (SaaS): The provider manages nearly the entire stack, including application delivery. Customers, however, retain control over users, access rights, data classification, and endpoints.

By contrast, on-premises in your own data center, you must manage all layers independently. Certain tasks, however, remain your responsibility regardless of the chosen cloud model, such as protecting data, identities, endpoints, and access management.

Nevertheless, the advantages of cloud solutions are undeniable. They can relieve your IT team, allow you to focus on development, outsource security services such as DDoS protection or Zero Trust mechanisms, and benefit from the mature solutions of large cloud providers.

What is Zero Trust?

The increasing shift of workloads to the cloud, the rise of remote work, and the growing number of mobile devices are making traditional security approaches obsolete. Traditionally, IT security was based on the concept of perimeter defense. Everything inside the corporate network was considered trustworthy, while external access was tightly controlled. In a hybrid, cloud-based world, however, this model is no longer sufficient. This is exactly where the Zero Trust security model comes in.

Zero Trust is based on three principles that Microsoft defines as essential for modern security:

• Verify explicitly: Every access request is verified, regardless of source or location. Factors such as user identity, device health, location, application, or workload are included in authentication and authorization.
• Least-privilege access: Access is restricted to the minimum necessary. Adaptive policies, risk-based decisions, and continuous evaluation reduce the attack surface and the risk of misuse.
• Assume breach: It is assumed that an attack has already occurred. Measures such as resource segmentation, end-to-end encryption, monitoring, and automated responses are applied to limit damage.

Whereas in the past all resources were shielded behind a secure corporate network, today adaptive, identity-centric access control is required. Zero Trust replaces the perimeter approach and enables secure access from anywhere, the integration of hybrid environments, and continuous improvement through analytics and automation.

Protecting Your Azure Platform and Infrastructure

After looking at the first examples of securing the Azure Cloud, in this chapter I want to get more specific and explore different aspects of Azure cloud security in greater detail. Here, I will provide both foundational principles and concrete implementation suggestions for individual services.

Azure Data Centers and Physical Security

The physical security of cloud infrastructures is the foundation of any trusted platform. Microsoft Azure is built on a global network of highly secure data centers, specifically designed to best protect data and workloads.

Azure operates more than 100 highly secure data centers across over 60 regions worldwide, delivering services in 140 countries. The infrastructure is designed so that applications are delivered close to users to reduce latency. With the growing demand for data sovereignty, both global and regional deployment methods are available. You can fully rely on Microsoft’s data centers or even use Azure Local to run your own data centers for hosting Azure services.

Microsoft categorizes its data centers according to the following concepts:

• Geographies: Grouping multiple regions within a geographic area to ensure data residency and resilience.
• Regions: Collections of multiple data centers connected by a high-performance, encrypted network.
• Availability Zones: Physically separate data centers within a region, each with its own power, cooling, and networking, designed for high availability and fault tolerance.

Similar to your own data center, Microsoft implements measures to prevent unauthorized access to its facilities. These include access requests, visitor rules, and extensive surveillance, just like in your company. In addition, secure device and media management ensures that storage media are either securely wiped or physically destroyed at the end of their lifecycle, with every destruction documented. Regular security reviews and strict separation of service management and physical access provide additional layers of control.

To ensure service availability in case of outages or disasters, data is replicated multiple times within every Azure primary site. Most Azure regions have multiple availability zones that redundantly hold your data. If additional redundancy is required, data can also be stored across regions.

Protecting Your Azure Identities

Identity management is the central pillar of modern cloud security. Microsoft Entra ID provides a comprehensive platform that unifies authentication, authorization, and governance. To secure your cloud environment from the start, I would divide your identity management into the core areas of protecting users, protecting resources, and securing hybrid environments.

Below, we will look at Azure services and principles for each core area that can serve as a foundation. The suggested services represent only a fraction of the possibilities, so you can establish additional services and mechanisms depending on your requirements.

Protecting Users

User identities are the primary target of modern attacks. With multi-factor authentication (MFA) and identity protection, Entra ID provides enhanced security for logins and sessions.

Multi-Factor Authentication (MFA) enforces the use of multiple authentication methods, such as a password and an additional verification (via SMS, app push, phone call, or hardware token). It also supports third-party OAuth tokens and can be enforced via Conditional Access for specific scenarios.

Microsoft Entra ID Protection additionally uses machine learning to detect risky sign-in events in real time (e.g., sign-ins from unusual countries, compromised credentials). It classifies risks into user risks and sign-in risks and can automatically trigger countermeasures (such as password resets or additional MFA).

These measures protect users against compromised credentials, phishing, and unauthorized access—without unnecessarily complicating the login process.

Protecting Resources

In addition to securing identities themselves, cloud resources also need to be controlled and monitored at a granular level. Entra ID provides mechanisms such as Role-Based Access Control (RBAC), Privileged Identity Management (PIM), and Conditional Access.

Azure RBAC (Role-Based Access Control) is based on the Azure Resource Manager, the central component for creating and managing Azure resources. For every Azure service or resource, standard roles already exist that grant specific permissions. These standard roles—or your own custom-defined roles—allow you to precisely control who can perform which actions on which resources.

Of course, you could assign RBAC permissions to yourself, but that essentially defeats the purpose of roles. To prevent this, you can configure Privileged Identity Management (PIM). PIM prevents administrators from having permanent privileged access. Admin rights are only granted temporarily and require explicit approval from other admins or project members. That might sound annoying at first, but realistically, how often do you need the Owner role in your subscription on a daily basis?

If you also know that your team is based in Germany, it makes sense to further restrict access to cloud services or corporate resources using Conditional Access for specific countries.

Securing Hybrid Environments

In many cases, an internal data center with users and identities already exists before adopting Azure Cloud. To avoid synchronization issues with identities, you can use Entra Connect to support authentication models such as Pass-Through Authentication (PTA), Federation (AD FS), or Password Hash Sync (PHS).

If you didn’t start out in the Microsoft ecosystem, you can of course integrate third-party solutions with Entra External ID.

Ensuring Network Security

Network security is a central element of any cloud security strategy. The primary goal is to protect resources from unauthorized access and attacks by controlling, segmenting, and monitoring network traffic. In Azure, this is achieved through a combination of native security services, configurable controls, and architectural patterns.

The principle is that only legitimate and authorized traffic is allowed—whether within your Azure networks, on-premises environments, or to/from the public internet.

The majority of your resources in Azure are integrated into a Virtual Network (VNet). A VNet forms a logically isolated segment based on the Azure network fabric. This isolation ensures that traffic between VNets or tenants does not flow unless explicitly configured.

Thus, VNets form the foundation of every security architecture. Organizations can subdivide VNets into subnets, connect them through peering, and link them to on-premises networks. This flexibility enables Zero Trust architectures where workloads are strictly separated.

The primary control instruments for traffic are Network Security Groups (NSGs). They filter traffic based on source IP, source port, destination IP, destination port, and protocol. NSGs can also be simplified with service tags and Application Security Groups, making restrictions easier to manage.

For PaaS resources, Azure provides solutions such as Service Endpoints, Private Endpoints, and Private Link. While Service Endpoints restrict access to specific services (e.g., Storage, SQL Database) to a VNet, Private Link enables a direct, private connection via private endpoints without public IPs and without routing traffic over the public internet.

By default, Azure allows routing between subnets and outbound internet traffic. For security requirements, it is recommended to use User Defined Routes (UDRs). This enforces that all outbound traffic is routed through a Network Virtual Appliance (NVA) or the Azure Firewall. With forced tunneling, workloads are further prevented from initiating direct connections to the internet.

To connect your Azure infrastructure with your on-premises datacenter or to securely access corporate resources, you can use Point-to-Site VPNs for individual clients, Site-to-Site VPNs for connecting entire networks, ExpressRoute for dedicated, private WAN links with higher bandwidth and availability, or VNet peering for secure, low-latency communication between VNets across the Microsoft backbone.

If you want to ensure application availability, a combination of load balancers (e.g., Load Balancer, Application Gateway, Front Door, Traffic Manager) and dedicated threat protection services such as the Azure Web Application Firewall with DDoS Protection is recommended.

Secure name resolution is an essential component of network security, as a compromised DNS can have severe consequences and enable attacks such as subdomain takeover. Azure provides several mechanisms to ensure the integrity and availability of name resolution. With Azure DNS, organizations gain a highly available and scalable external DNS service, built on Azure’s global infrastructure.

For VNet-internal scenarios, Azure provides Private DNS Zones, which enable name resolution within virtual networks without relying on the public internet. In addition, DNS alias records can tie the lifecycle of DNS entries directly to resources such as Traffic Manager or public IP addresses, preventing dangling records that attackers could exploit. Additionally, Microsoft Defender for App Service protects against typical subdomain takeover risks and supports secure DNS lifecycle management.

Alongside correct and secure name resolution, monitoring and threat detection play a central role in network security. Visibility across all traffic is essential to detect attacks early and respond effectively.

Azure provides a wide range of tools that enable a holistic view of network traffic. With Azure Network Watcher, you can analyze network flows, create packet captures, and generate topology views, giving administrators deeper insight into communication paths. Complementary NSG flow logs provide detailed information on allowed and denied traffic, enabling precise analysis of security-relevant events. Using Azure Monitor in combination with Log Analytics, events can be collected, correlated, and analyzed centrally, supporting efficient monitoring and troubleshooting.

Microsoft Defender for Cloud expands on this by adding threat detection, compliance checks, and actionable security recommendations that can be integrated directly into operations. Additionally, Traffic Analytics provides visualization of traffic patterns, enabling early detection of anomalies, bottlenecks, or potential attack scenarios. By combining these features, organizations gain high transparency over their network infrastructure and can continuously adapt and improve their defense strategies.

Security for Virtual Machines

Virtual Machines (VMs) in Azure give organizations the ability to flexibly and scalably deploy workloads in the cloud without the need to manage their own hardware. Azure supports nearly all common platforms, operating systems, and applications—from Windows and Linux to SQL Server, Oracle, or SAP.

To ensure these VMs can be operated securely, Azure provides a wide range of security mechanisms that cover the entire VM lifecycle: from threat defense to encryption, backup and disaster recovery, to patching and compliance.

Azure supports leading antimalware solutions and natively integrates Microsoft Antimalware for Azure Cloud Services and Virtual Machines. This solution runs as an agent in the background and provides real-time protection, scheduled scans, automated remediation of detected malware, as well as continuous signature updates. Administrators can choose between a default configuration or a custom setup.

For enhanced security, Microsoft recommends using Defender for Endpoint, which further reduces attack surfaces and supports automated investigations. All antimalware solutions can also be integrated with Microsoft Defender for Cloud, allowing status information, alerts, and recommendations to be centrally managed.

The protection of sensitive data in Azure is achieved across multiple layers. With Azure Key Vault, cryptographic keys and secrets can be securely stored and managed via Microsoft Entra ID. This allows for secure handling of SQL Server encryption keys, application secrets, or certificates.

In addition, Azure Disk Encryption—based on BitLocker (Windows) and dm-crypt (Linux)—ensures that all data at rest is encrypted. Key management is also handled through Key Vault. Best practices recommend using Key Encryption Keys (KEKs) for additional protection, ensuring that VMs and Key Vault reside in the same region, and creating backups before enabling encryption.

To prevent data loss in virtual machines, you can also use Azure Backup. For Business Continuity and Disaster Recovery (BCDR), Azure Site Recovery (ASR) provides replication, failover, and recovery of entire workloads to a secondary site or directly within Azure. With features such as test failovers, planned failovers without data loss, and failback scenarios, Azure Site Recovery supports a comprehensive BCDR strategy—without the need to operate your own secondary data centers.

Security updates are essential to close known vulnerabilities. While you don’t need to worry about security updates for Platform-as-a-Service (PaaS) offerings, this is unfortunately not the case for virtual machines. For this reason, features such as Automatic Guest Patching and Update Management via Azure Automation exist. Automatic Guest Patching handles downloading and updating Windows and Linux images to fix critical vulnerabilities on your VMs. The Azure Update Manager also allows you to scan your VMs and configure maintenance windows.

A central feature that we will examine later in this blog post is Confidential Computing. It is especially relevant for VMs, but first I want to cover the usual best practices and options for secure use of your Azure Cloud.

Securing Platform Services

After covering virtual machines, I now want to highlight the security-related advantages of Platform-as-a-Service (PaaS) offerings in Microsoft Azure. This should clarify the differences compared to other cloud operating models and provide an understanding of how you can reduce your attack surface, delegate security responsibilities to Microsoft, and implement identity and data access controls.

With PaaS services, you can hand over responsibility for availability and performance, while the cloud provider takes care of critical areas such as hardware, networking, virtualization, OS patching, and more. This results in several advantages, for example:

• Reduced attack surface: Since no direct servers or VM hosts are managed, most traditional infrastructure-based attacks are eliminated.
• Faster threat detection: Microsoft integrates global threat intelligence signals into PaaS services, allowing new attack patterns to be detected more quickly.
• Identity-based security: As network perimeters become less relevant, identities are the primary security factor. Microsoft Entra ID provides MFA, Conditional Access, Identity Protection, and Role-Based Access Control.
• Automatic patches and updates: PaaS services are continuously updated for you, allowing vulnerabilities to be closed more quickly.

Azure App Service & App Service Environment (ASE)

With Azure App Service, you can deploy web and API applications without having to manage the underlying server. There are two main distinctions:

• App Service Plan (Standard/Basic/Consumption Plans)

  • Services run in a multi-tenant environment, protected by Microsoft with strong isolation mechanisms.
  • Security through TLS certificates, Entra integration (OAuth2, OpenID), Key Vault integration, and DDoS protection.
  • Suitable for many scenarios, but the attack surface is larger due to public internet exposure.
  • Integration into your individual VNet via Private Endpoints and Private Link is possible.

• App Service Environment (ASE)

  • Single-tenant hosting: apps run fully isolated on dedicated infrastructure.
  • Full integration into a Virtual Network (VNet), including private IPs for inbound traffic.
  • Control over inbound traffic with NSGs (Network Security Groups), firewall rules, and private endpoints.
  • Ideal for highly regulated industries (finance, healthcare) or highly confidential data where network isolation is mandatory.
  • More expensive, but the most secure App Service option.

Azure Container Apps with Consumption & Workload Profiles

We already covered Container Apps in detail in the following -> blog post.

• Container Apps Consumption Plan

  • Serverless and pay-per-use, with automatic scaling of resources.
  • Runs in a multi-tenant infrastructure; Microsoft handles isolation and patch management.
  • Public endpoints by default, but can be secured via ingress restrictions, Entra integration, and managed identities.
  • Limited control over compute isolation, as resources run dynamically in shared environments.
  • Well-suited for scenarios with lower compliance requirements or where cost optimization is a priority.

• Container Apps Workload Profiles

  • A newer variation where containers run on dedicated worker nodes within the container apps environment.
  • Workload profiles can be optimized for performance, isolation, and compliance (e.g., memory-optimized, CPU-optimized).
  • Stronger isolation since workloads run on dedicated compute resources (similar to single-tenant PaaS).
  • Private VNet integration available, allowing container apps to operate without public IP addresses.
  • Supports Confidential Compute options in combination with specific SKUs (similar to AKS).
  • Better suited for regulated industries, sensitive data, or applications with strict compliance requirements.

Additional Options for Containerized Applications

• Azure Kubernetes Service (AKS)

  • Security and isolation via Confidential Compute nodes (based on Intel SGX or AMD SEV-SNP).
  • Support for Pod Security Standards, Kubernetes RBAC, Azure AD integration.
  • Private cluster option: no public API access to the control plane.
  • Defender for Containers integration: image scanning, runtime monitoring, policy enforcement.

• Azure Container Instances (ACI)

  • Lightweight PaaS for short-lived containers.
  • Isolated SKUs for compute isolation.
  • VNet integration to limit public exposure.
  • Less feature depth compared to AKS, but simplified and suitable for batch/serverless scenarios.

Azure SQL Database & Data Platforms

• Azure SQL Database (Single Database, Elastic Pools)

  • Transparent Data Encryption (TDE) is enabled by default.
  • Advanced options: Always Encrypted (client-side encrypted columns).
  • Access via Private Endpoints, VNet rules, Entra authentication (MFA, Conditional Access).
  • Advanced Threat Protection for attack detection (SQL injection, unusual access).

• Azure Synapse Analytics

  • Same security features as SQL Database.
  • Additionally, encryption at rest, Entra-based access controls, and Private Link support.

• Cosmos DB

  • Multi-layer encryption (at rest and in transit).
  • Confidential Ledger integration for tamper-proof transaction records.

Azure Storage

• Storage Accounts
  • Encrypted by default with SSE (AES-256).
  • Optional: Customer-Managed Keys (CMK) via Key Vault.
  • Access through Shared Access Signatures (SAS), Azure RBAC, and Private/Service Endpoints.
  • Immutable Storage (Write Once Read Many): protection against tampering or deletion, critical for finance and compliance scenarios.
  • In combination with Confidential Compute VMs, highly sensitive data can also remain encrypted during processing.
  • Azure Storage Encryption Scopes: different encryption policies per container or blob.
  • Soft Delete & Blob Versioning: protection against accidental or malicious deletion.
  • Advanced Threat Protection for Storage (Defender for Storage): detects unusual activity (e.g., mass downloads, data exfiltration, malware uploads).
  • Customer Lockbox: ensures Microsoft support can only access customer data with explicit approval.

Other Security-Relevant PaaS Services and Features

• Azure Service Bus

  • SAS tokens and Entra RBAC for secure access control.
  • Access from your VNet via Service Endpoints & Private Endpoints.

• Azure Cache for Redis (Premium)

  • Private Link, VNet integration, TLS 1.2/1.3 enforced.

• Azure Functions

  • Supports secrets via Key Vault, VNet integration, Private Endpoints, and many other options.
  • Includes an Isolated Plan for stronger security (dedicated compute isolation).

Security, Encryption, and Data Storage

After covering various security-relevant aspects, I now want to shift the focus to the protection of your data during storage, transmission, and processing. Here, I will show you concrete measures and options for encrypting data and provide decision-making foundations.

Data protection in the cloud not only includes securing data at rest but also protecting it during transmission and processing. Azure provides a wide range of features, technologies, and security mechanisms that cover the entire data lifecycle. These can be divided into three categories: Data-at-Rest, Data-in-Transit, and Data-in-Use.

Data-at-Rest (Storage)

Stored data must remain protected even if an attacker gains physical access to the infrastructure. In Azure, all data is therefore encrypted by default, with additional options available for particularly sensitive scenarios.

Default Encryption and Key Management

All Azure services encrypt stored data by default using Server-Side Encryption (SSE), based on the AES-256 algorithm in FIPS 140-2 validated hardware. The following applies:

• Microsoft-Managed Keys (MMK): The default option, where Microsoft generates, stores, and rotates the keys.
• Customer-Managed Keys (CMK): Customers can provide and manage their own keys, typically via Azure Key Vault or Azure Managed HSM. This ensures customers retain control over key generation, rotation, and deletion.
• Double Encryption: Data is encrypted twice with different keys.
  • Service-level encryption is the standard encryption of all Azure Storage data with either Microsoft- or customer-managed keys from Azure Key Vault or Azure Managed HSM.
  • Infrastructure-level encryption encrypts the infrastructure layer used by Microsoft with a separate key that always uses Microsoft-managed keys.

There are several key management models:

• BYOK (Bring Your Own Key): Customers import self-generated keys (e.g., from on-premises HSMs) into Azure Key Vault or Managed HSM. Key material is securely transferred via RSA-wrapping or PKCS#11.
• HYOK (Hold Your Own Key): Keys remain exclusively in the customer’s local infrastructure (e.g., on-premises HSM) and are used via Microsoft Rights Management Connector or dedicated interfaces. Data can only be decrypted if the on-premises key server is accessible. This model is suited for highly regulated scenarios (e.g., government secrecy, critical infrastructure).
• Customer-Managed Key Rotation: Keys can be rotated on schedule using Azure Key Vault key rotation policies or automated scripts (PowerShell, CLI, Terraform). Services like Azure Storage, SQL Database, or Azure Disk Encryption can transparently switch to the new key without requiring data migration.

A typical use case for data-at-rest would be an Azure Storage Account with customer-managed keys. In this setup, you create a Key Vault and key for encryption. The Storage Account is then granted permission (via managed identity) to access the key from Key Vault, and finally, encryption is enabled in the Storage Account.

Data-in-Transit (Transmission)

Data traveling between services, datacenters, or endpoints is at high risk of eavesdropping, tampering, or man-in-the-middle attacks. To minimize these risks, Azure uses a multi-layered security model that includes encryption of communications, network isolation, and traffic control. This ensures data is protected both within the Azure infrastructure and across external connections.

Encryption Standards

By default, all Azure traffic is encrypted using TLS 1.2 or 1.3, which leverages modern cryptographic methods such as Perfect Forward Secrecy (PFS) and AES-Galois/Counter Mode (AES-GCM) for integrity. Many services also support mTLS (Mutual TLS), where not only the server but also the client must present a certificate. This is used, for example, by Azure Application Gateway or Azure API Management to secure sensitive APIs and workloads from unauthorized clients.

For file-based scenarios, specialized protocols are used such as SMB 3.0 (for Azure File Shares) or HTTPS (for Blob Storage, Queues, Tables), both of which provide native encryption and protection against replay and sniffing attacks.

Network Isolation

In addition to encryption, Azure ensures that data is transmitted only over trusted network paths. With Private Link and Private Endpoints, services can be integrated directly into a Virtual Network (VNet), making them accessible via private IP addresses without public internet exposure.

A simpler option is to use Service Endpoints, where traffic still flows over the Azure backbone but access is restricted to defined subnets. Both approaches prevent unnecessary data exposure to public networks, significantly reducing the attack surface.

Secure Hybrid Connectivity

In hybrid scenarios where on-premises systems are connected to Azure, dedicated protection mechanisms are used. With VPN Gateway, encrypted site-to-site or point-to-site tunnels can be established over the internet, while Azure ExpressRoute provides a dedicated private link to the Microsoft network, which can also be encrypted if needed.

For secure remote access to virtual machines, Azure Bastion is available. Administrators can manage VMs over RDP or SSH via the Azure Portal without requiring a public IP. This provides a significant security improvement by eliminating attack vectors such as brute-force or port scanning.

Traffic Control and Threat Protection

Azure offers several mechanisms to secure network connectivity. Network Security Groups (NSGs) allow granular control of inbound and outbound traffic at the subnet or NIC level. Azure Firewall extends this functionality with centralized logging, FQDN-based filtering, and application-level rules. For web application protection, Application Gateway combined with a Web Application Firewall (WAF) is used to detect and block common attacks such as SQL injection, cross-site scripting (XSS), or request smuggling.

Against large-scale volumetric attacks such as DDoS, Azure provides dedicated protection. Azure DDoS Protection is available in a free basic tier (enabled by default) and an advanced standard tier, which adds telemetry, adaptive tuning, and guaranteed cost protection in case of outages caused by DDoS attacks.

Data Integrity and Monitoring

To detect tampering or unusual activities in network traffic at an early stage, Azure provides extensive monitoring tools. Azure Monitor and Traffic Analytics allow the analysis of traffic flows and the identification of patterns, bottlenecks, or potential attacks. With NSG Flow Logs, administrators can track in detail which connections were allowed or blocked, while Azure Network Watcher provides additional functions such as packet capture, topology views, and connection monitoring. Together, these tools enable continuous monitoring of network security and rapid response to threats.

Data-in-Use (Processing)

Even if data is well encrypted during storage (at rest) and transmission (in transit), it is often in plaintext while being processed in RAM or CPU. This creates new threat scenarios:

• Access by compromised hosts or admins
• Attacks via memory snapshots or debuggers
• Risks from shared cloud infrastructure (multi-tenant)

Azure Confidential Computing directly addresses this problem by extending protection into hardware, ensuring data remains protected even at the time of execution. At its core, Confidential Computing is based on Trusted Execution Environments (TEE), which encrypt data and code in memory and enforce strict isolation from the operating system, hypervisor, and other workloads. Essentially, it creates a secure region inside the main processor that executes code, where data is only decrypted inside that region. You can think of it as a vault inside RAM. This secure region is also called an enclave.

An enclave is an isolated region within the CPU or RAM, enforced by hardware, that is separated from the rest of the system. Data and code within an enclave remain encrypted and are invisible to other processes, the hypervisor, the operating system, and even the cloud provider. Only authorized code inside the enclave can access and process the data in plaintext. Thus, enclaves are the central component of the Trusted Execution Environment (TEE).

The Trusted Compute Base (TCB) additionally refers to all components that must be trusted for a system to be considered secure. A lean TCB minimizes the potential attack surface and reduces the risk of a vulnerability undermining the entire security model. Key components of a TCB include:

• CPU functions that enforce enclave protection
• Firmware and microcode that technically implement isolation
• Minimal necessary software such as a special runtime module inside the enclave

Unlike classic VMs, where the operating system, hypervisor, drivers, and management tools are part of the TCB, in Confidential Computing the TCB is reduced to a few verifiable components.

To ensure, for example, that a key service or CI/CD pipeline does not have to blindly trust that a workload runs in a protected environment, the Azure Attestation Service is used. This service cryptographically ensures that:

• The workload is indeed running inside a TEE.
• The hardware/firmware matches the approved TCB.
• Only verified environments are granted access to sensitive data.

The Azure Attestation Service provides a cryptographically signed proof of the specific hardware and software measurement of the running workload. Only when this measurement (quote or evidence) matches a defined attestation policy are downstream systems allowed to release secrets or grant access. A typical example is attested key release, where keys from Azure Key Vault or Managed HSM are only released to exactly the verified enclave.

Azure provides multiple options depending on the degree of isolation and integration scenario.

• Confidential VMs: Protect the entire VM so that memory contents, registers, and VM states are encrypted and tamper-resistant at the hardware level. Azure leverages modern CPU extensions such as AMD SEV-SNP and Intel equivalents for confidential execution. These VM SKUs are attractive for lift-and-shift scenarios, as they provide strong protection without requiring code changes. Operating systems, databases, app servers, and agents run unchanged while benefiting from memory encryption and integrity protection at the VM level.

• Application-level enclaves with Intel SGX: Particularly sensitive services can be placed in an enclave inside RAM. This approach is more fine-grained but requires code changes and specialized SDKs (e.g., Open Enclave). In return, you can selectively execute critical processing steps inside a TEE, even in shared PaaS services. An example is Always Encrypted with Secure Enclaves in Azure SQL for encrypted columns.

• Confidential Containers: In AKS, you can run node pools on confidential VM-based infrastructure and enable confidential containers. Similarly, Azure Container Instances are available in a confidential variant for quickly deploying isolated containers without cluster operations.

Containerized applications further benefit from protections such as signed and hardened images or image scanning to detect vulnerabilities in container workloads. For classical PaaS scenarios, there are also confidential execution models, such as the mentioned Secure Enclaves in Azure SQL or integrations for key/secret operations, which are only permitted after successful attestation. This ensures that even in multi-tenant platforms, highly sensitive operations are executed only in a verified TEE context.

From a security perspective, the data-in-use examples in this chapter address several concrete threats. Against malicious or compromised hypervisors, hardware-based integrity and memory protection is effective. Memory scraping, DMA attacks, cold boot/snapshot extraction, and many forms of debugging are neutralized because plaintext data never leaves the protected enclave.

Conclusion

The security of your Azure environment is not a task that can be set up once and then neglected. Microsoft Azure offers a wide variety of powerful mechanisms to comprehensively protect your data, applications, and infrastructure—from the physical security of datacenters to modern identity solutions and innovative technologies such as Confidential Computing.

Key success factors are:

• Understanding the Shared Responsibility Model to clearly define your own role.
• Applying best practices and benchmarks to make security measurable and standardized.
• Using end-to-end encryption, Zero Trust principles, and network isolation as technological pillars.
• Continuously monitoring, assessing, and adapting security measures in line with the pace of change in the cloud.

Whether protecting stored data (Data-at-Rest), during transmission (Data-in-Transit), or in active processing (Data-in-Use), Azure provides a clear solution for every scenario. The decisive factor is to use these deliberately, consistently, and in line with your requirements.

Helpful Links for Further Research

Data-at-Rest (Storage)

• Customer-Managed Keys (CMK)
• Azure Managed HSM
• Azure Disk Encryption (ADE)
• Storage Service Encryption (SSE)
• Transparent Data Encryption (TDE)
• Always Encrypted
• Immutable Storage (WORM)
• Azure Confidential Ledger

Data-in-Transit (Transmission)

• Private Link / Private Endpoints
• Azure Firewall, NSGs
• Application Gateway & WAF
• Azure Bastion
• Service Endpoints
• SMB 3.0
• HTTPS
• Double Encryption for Disks

Data-in-Use (Processing)

• What is Confidential Computing?
• Protecting Multi-Party Data Processing
• Azure Confidential VMs Overview
• Another Blog on Confidential VMs
• AKS with Confidential Containers
• Confidential Azure Container Instances
• Attestation for Containers
• Blog: Confidential Computing for PaaS
• Overview App Service Environment
• App Service Environment Comparison
• Azure Attestation Service