1.4.2. Shared Responsibility: Customer's Role
š” First Principle: The customer is fundamentally responsible for "security in the cloud," which encompasses securing their own data, applications, identities, and network configurations within the Azure services they consume.
Scenario: When deploying an Azure Virtual Machine, you configure Network Security Groups, enable Azure Disk Encryption for its disks, and manage application-level security.
The customer's responsibility in the Azure Shared Responsibility Model is for "security in the cloud." This means customers are responsible for the security of their data, applications, and configurations within the Azure environment.
Key Customer Responsibilities ("Security in the Cloud"):
- Data Security: Data encryption (at rest and in transit), data integrity, data classification for data stored in Azure Storage, Azure SQL Database, etc.
- Identity and Access Management: Configuring Entra ID users, groups, and Role-Based Access Control (RBAC) policies.
- Network Configuration: Configuring Network Security Groups (NSGs), Azure Firewall, and Virtual Network (VNet) settings.
- Guest Operating System: Applying patches, security updates, and firewall configurations for the operating system running on Azure Virtual Machines.
- Application Security: Securing the application code, its dependencies, and configurations.
- Security Monitoring: Configuring Azure Monitor alerts and reviewing Azure Activity Logs and Resource Logs.
ā ļø Common Pitfall: Neglecting to patch the guest operating system on an IaaS Virtual Machine, assuming Microsoft handles it. This is a critical customer responsibility and a common source of security vulnerabilities.
Key Trade-Offs:
- Flexibility vs. Responsibility: IaaS offers the most flexibility but also the most security responsibility for the customer. PaaS and SaaS reduce customer responsibility but also offer less configuration flexibility.
Reflection Question: How does misconfiguring a Network Security Group or failing to patch an operating system on an Azure Virtual Machine directly demonstrate a failure in the customer's shared responsibility for "security in the cloud"?