Defense in Depth
Defense in Depth

This short course explains how to use the concepts of zero trust and defense in depth to protect your Azure resources from attackers who breach your perimeter network.

Learning Objectives

  • Describe the principles of zero trust 
  • Describe the various layers of protection used by a defense in depth strategy

Intended Audience

  • Azure security administrators and anyone else who needs to know how to protect their Azure resources
  • People preparing to take the Azure Fundamentals exam



If you adopt a zero trust philosophy when designing your Azure infrastructure, then one useful way of slowing down your attackers is a strategy called defense in depth. It’s particularly effective at protecting your data. This includes three types of protection:

  1. Confidentiality, meaning that only authorized users can access the data,
  2. Integrity, meaning that the data has not been altered by malicious users, and
  3. Availability, meaning that authorized users can access it. One way an attacker could make the data unavailable is to launch a denial-of-service attack.

The central principle of defense in depth is to protect your data using a series of layers, so even if one layer is breached, the other layers still offer protection for your data. Not only does this slow down the attacker, but it also increases the probability that you’ll detect the attack.

Here’s a quick summary of the layers and how they can be protected in Azure. First up is physical security. Microsoft takes care of this by maintaining physical security at its datacenters. This layer is probably the least likely for an attacker to attempt to breach.

Next, there’s identity and access. These are provided by Azure Active Directory and role-based access control. There are many ways to increase your security using these services, but some examples are conditional access and Identity Protection.

Then there’s perimeter security. One example of a service at this layer is Azure DDoS, which defends against denial-of-service attacks.

Next, there’s network security. An example at this layer is network security groups, which are essentially firewall rules for your Azure virtual networks.

Then there’s the compute layer. One way to defend your compute resources is to ensure that their operating systems are regularly patched. Fortunately, most Azure compute services take care of this for you, but if you’re using virtual machines, you’ll need to take care of this yourself.

After that, there’s application security. You’ll need to make sure that your developers are writing your applications in a secure manner.

Finally, there’s the data layer. This is what attackers are usually trying to access. Azure’s various storage services offer a variety of features to provide security for your data. One common feature is encryption. Another example is enabling Advanced Threat Protection in your Azure SQL Databases.

As you can see, it’s possible to protect your data using many layers of security. Some of these layers, such as physical security are entirely Microsoft’s responsibility, some are entirely your responsibility, such as application security, and most are a combination of Azure services and how you implement them.

And that’s it for zero trust and defense in depth. Please give this course a rating, and if you have any questions or comments, please let us know. Thanks!

About the Author
Learning Paths

Guy launched his first training website in 1995 and he's been helping people learn IT technologies ever since. He has been a sysadmin, instructor, sales engineer, IT manager, and entrepreneur. In his most recent venture, he founded and led a cloud-based training infrastructure company that provided virtual labs for some of the largest software vendors in the world. Guy’s passion is making complex technology easy to understand. His activities outside of work have included riding an elephant and skydiving (although not at the same time).