Security Responsibilities in the Cloud – Azure AZ-900

Security Responsibilities in the Cloud – What You Must Own as an Azure Customer

Azure provides powerful security tools. But providing tools and using them correctly are two very different things. One is Microsoft's job. The other is yours.

What You Will Learn

• What customer-side security responsibility actually looks like in practice on Azure
• The specific security areas every Azure customer must actively manage
• How Azure helps with security versus what it cannot do for you automatically
• The most common security failures in cloud environments and why they happen

What is Security Responsibilities in the Cloud?

Security in the cloud is a two-sided job. Microsoft Azure builds and maintains the security of the cloud platform itself — the infrastructure, physical facilities, and foundational services. Your responsibility as a customer is the security of everything you build and run on top of that platform.

Azure gives you exceptional tools — Microsoft Defender for Cloud, Azure Policy, role-based access control, encryption at rest and in transit, multi-factor authentication, and more. But tools do not secure systems. Configured, monitored, and actively managed tools do. That configuration and management is entirely your responsibility.

Why Does This Matter?

The majority of security incidents in cloud environments are not caused by failures in the cloud provider's infrastructure. They are caused by customer-side misconfigurations, poor access management, unpatched software, or ignored security alerts. Understanding your security responsibilities is the first step to avoiding the most common and most avoidable cloud security failures.

The Real-World Story

A new housing colony installed a state-of-the-art security system — cameras at every entrance, motion detectors, smart locks, intercom systems, and a 24-hour security guard at the main gate. The developer handed over every tool needed to keep the community safe.

But six months after residents moved in, several break-ins happened. The investigation revealed the problem had nothing to do with the security infrastructure. One resident had shared their door code with a former tenant who never returned the key. Another family had left a ground-floor window unlocked for weeks. A third family never bothered to register their domestic worker with the security office, so unauthorised entries were never flagged.

The security infrastructure was perfect. The security practices of the residents were not.

Azure is the housing colony's developer. It builds and maintains exceptional security infrastructure. Your organisation is the resident. All the tools are there — but how you use them, configure them, and actually follow security practices determines whether your environment is safe or not.

Going Deeper

Identity and access management is the single most important security responsibility for Azure customers. Every Azure environment has users, service accounts, and applications that need access to resources. Managing who has access to what — and ensuring access is limited to exactly what is needed and nothing more — is entirely the customer's job. This includes enforcing multi-factor authentication for all users, implementing role-based access control with the principle of least privilege, regularly reviewing and removing access that is no longer needed, and securing service principals and managed identities that applications use to authenticate.

Data protection is another core customer responsibility. Data at rest should be encrypted using Azure's built-in encryption or customer-managed keys depending on compliance requirements. Data in transit should always use secure protocols. Data classification — understanding which data is sensitive, which is public, and which is regulated — must be done by the customer. Azure provides the encryption capabilities; deciding how and where to apply them is the customer's decision.

Network security configuration sits firmly with the customer in IaaS and partially in PaaS environments. Network Security Groups, firewalls, and virtual network configurations must be set up correctly to prevent unauthorised access. Leaving services exposed to the public internet with no access restrictions is one of the most common and most avoidable security mistakes in cloud deployments.

Application security in workloads the customer builds or deploys is always the customer's domain. Validating user input, handling authentication and authorisation correctly within applications, keeping application dependencies updated, and scanning for known vulnerabilities are all customer responsibilities that Azure cannot fulfil automatically.

Azure provides a continuous stream of security recommendations through Microsoft Defender for Cloud and a Secure Score that shows how well your environment follows security best practices. Acting on those recommendations — remediating misconfigurations, addressing vulnerabilities, and following the guidance — is the customer's ongoing job. A high Secure Score does not happen by itself.

🎯 Quick Takeaways

• Azure provides the security tools and infrastructure but cannot configure, monitor, or act on them on your behalf — all active security management is a customer responsibility.
• Identity and access management is the most critical customer security responsibility — enforcing MFA, applying least privilege, and regularly reviewing access are non-negotiable practices.
• Data classification and protection decisions — what to encrypt, how to classify sensitive information, and how long to retain data — are always the customer's responsibility.
• Network security configurations such as Network Security Groups and firewall rules must be actively managed by the customer to prevent unauthorised access.
• Azure's Secure Score and Defender for Cloud provide recommendations but do not automatically remediate issues — reviewing and acting on those recommendations is an ongoing customer obligation.