FEATURE

Auditing the Cloud: Microsoft

Azure

“
When it comes to the cloud and the methods used
to audit this expanding technology, Amazon Web
Services (AWS) is not the only major player. There
THE LARGER THE
may not be as many advertisements for Azure, but TECHNOLOGICAL FOOTPRINT
as of 2019, Microsoft was one of the top-three
providers of public cloud services.1 The following
A SERVICE PROVIDER OFFERS,
examines the leading public cloud service providers, THE MORE ATTENTION IT IS

”
including a basic financial analysis, and then
introduces Microsoft Azure and the audit
LIKELY TO RECEIVE FROM
techniques enterprises can use to assess the CYBERCRIMINALS.
Microsoft Azure Platform as a Service (PaaS).
The general audit program outlined here is not Azure.2, 3 As of 2019, AWS was widely accepted as
intended as a prescriptive set of tests that each the market leader in both Infrastructure as a Service
enterprise should conduct; it is meant to serve as a (IaaS) and overall cloud services, finishing the year
foundation for the development of security, risk with an estimated US$35 billion.4 Second place was
and compliance assessments related to assumed to belong to Microsoft, whose
Azure deployments. “Commercial Cloud” portfolio, which includes Azure,
LinkedIn Premium and MS Dynamics, ended 2019
From a security audit and risk perspective, a with US$38 billion in total revenue for all cloud
financial analysis of any service provider allows an services combined.5 Google Cloud ended 2019 in
enterprise to better assess the provider’s maturity third place with US$10 billion in total revenue.6
(e.g., security services offered, market stability,
financial risk from investments, potential for
cyberattacks due to size). The larger the
technological footprint a service provider offers, the
more attention it is likely to receive from
cybercriminals. In addition, rapid market expansion
may lead to larger gaps between the introduction of
new services and the creation and maturation of
associated security capabilities, leading to
increased risk. Assessment of the financial status
of a cloud service provider (CSP) can help IT audit
teams and executive management determine
whether the provider is growing too quickly in an
insecure manner, whether rapid expansion may lead
to increased security breaches and whether growth
is occurring in a way that deviates from the
enterprise risk appetite.
Adam Kohnke, CISA, CISSP, eJPT
Cloud Service Providers Currently serves as the identity and access management team leader for
North American operations at QBE Insurance, Australia’s second largest
It is difficult to declare a definitive winner in the insurer. He has four years of experience in IT audit within the financial
category of top public CSP. Microsoft chooses not services industries and more than six years of IT service management
to publicly disclose total revenue figures specific to experience in the healthcare and construction industries.

© 2020 ISACA. All rights reserved. www.isaca.org

ISACA JOURNAL VOL 5 1
 Financial resources are pouring into the public environment. The Azure cloud platform extrapolates
Enjoying cloud services market, and a great deal of short- the virtualization concept on a staggering scale
term market growth is expected, potentially creating through the implementation of massive server farms
this article?
increased business and security risk for enterprises dispersed across several geographic areas to provide
consuming these services. To minimize such risk, public cloud services to customers. Each data center
• Read Azure Audit
enterprises must develop a fundamental has multiple physical server racks, with a hypervisor
Program.
understanding of how to audit public CSPs such as assigned to each server to control its virtualization
www.isaca.org/
Microsoft Azure. operations (e.g., creating and managing VMs,
azure-audit-program
managing allocated compute resources). Microsoft
• Learn more about,
Microsoft Azure Azure uses the following components to seamlessly
discuss and
manage the individual customer cloud experience: the
collaborate on audit Microsoft Azure is a cloud computing platform that Azure web portal, the orchestrator and its APIs, a
and assurance in provides a pay-as-you-go service to both public and network switch, and fabric controllers, which all
ISACA’s Online private enterprises, renting them compute, power, directly or indirectly interact with the physical servers
Forums. storage and other services from infrastructure and the hypervisors. One server in each rack is
https://engage.isaca. hosted in Microsoft data centers.7 As of this writing, assigned the fabric controller software, which directly
org/onlineforums Microsoft Azure offers approximately 100 services communicates through the network switch with the
divided into 13 general categories, including virtual orchestrator to manage all actions occurring within
machine (VM) infrastructure capability for Linux and Azure, such as creating a VM, assigning storage to the
Windows compute workloads; application hosting VM, deleting VMs or responding to user requests. User
with full web application programming interface requests to manage Azure resources occur via the
(API) management; Internet of Things (IoT) Azure web API, which can be accessed by many tools,
Software as a Service (SaaS) for secure, centralized including the Azure portal and Azure command line
device information gathering or relay; and virtual interface (CLI). Figure 2 depicts a basic example of a
reality (VR) services that allow customers to explore new VM being created via the Azure portal, which, in
new software possibilities. Figure 1 details the turn, is packaged by the orchestrator and sent to the
Azure categories and their groupings.8 fabric controllers for assignment to a physical server
for processing of the creation request.9
The Microsoft Azure public cloud platform relies on
virtualization, which is the separation between a When an enterprise subscribes to Azure cloud
computer’s hardware and its operating system via services, it establishes the highest-level security
an abstraction layer known as a hypervisor, which boundary, called an Azure tenant. Azure tenants
emulates all computer functions in a VM-based

Figure 1—Microsoft Azure Categories

Security & Platform Services Hybrid

Management Media & CDN Application Platform Data Cloud
Azure AD
Security Center Media Media Content SQL SQL Data Correct Health
Delivery Web Mobile Database Warehouse Cosmos DS
Services Analytics Apps
Azure portal Network Apps Ad Privleged
SQL Server Azure Table Azure Identity
Azure Active API Cloud Stretch Cache Storage Search Management
Directory Integration Apps Services Database for Redis
API Domain Services
Azure Ad
B2C Management Service Notifications
Service Bus
Fabric Hubs Intelligence
Multi-Factor Azure Logic Cognitive Azure ML Backup
Functions Services Bot Services
Authentication Apps Studio

Automation Azure Monitor

Analytics & IoT
Compute Services Developer Services
Key Vault HDInsight Machine Stream
Visual Studio Mobile Learning Analytics Import/Export
Container VM Engagement
Azure Service Scale Sets Data Data Lake
Analytics Data Lake
Marketplace Azure DevOps Catalog Storage
Xamarin Service Azure Site
Azure Batch Dev/Test Lab Recovery
VM Image Gallery Visual Event Data Power BI
Application Studio IoT Hub
Insights Hubs Factory Embedded
App Center Start Simple
REST API and CU
Infrastructure Services
Compute Storage Networking
Containers and Virtual Load Express Traffic VPN App
Virtual Machines Azure Blob Queues Files Disks DNS
Network Balancer Route Manager Gateway Gateway
Kubernetes

Source: Microsoft, “What Is Azure?” https://docs.microsoft.com/en-us/learn/modules/welcome-to-azure/2-what-is-azure.

Reprinted with permission.

© 2020 ISACA. All rights reserved. www.isaca.org

2 ISACA JOURNAL VOL 5
 Figure 2—VM Creation Using the Azure Portal
ORCHESTRATOR
API FABRIC
CONTROLLER
AZURE PORTAL
Source: Microsoft, “What Is Azure?,” https://docs.microsoft.com/en-us/learn/modules/welcome-to-azure/2-what-is-azure.
Reprinted with permission.
virtually represent the enterprise that has
established a relationship with Microsoft Azure;
they can be single tenants or multitenants.10 All
tenants are identified by a globally unique identifier
(GUID) and rely on the Azure Active Directory (AAD),
which serves as the digital identity service model
for securing all SaaS, IaaS and PaaS resources
within Azure. The next level in the Azure hierarchy is
the management group. Management groups allow
an enterprise to organize Azure resources into a
hierarchy of strategic collections, providing another
level of classification and centralized access
control that transcends Azure subscriptions; for
example, an enterprise can designate a human
resources (HR) management group to dictate Azure
policy decisions over HR-associated Azure
subscriptions and resources, or it can assign a
marketing management group to define how
resources allocated to marketing can be deployed
and accessed. Next, Azure subscriptions are billed
service agreements between the enterprise and
Microsoft, allowing the use of any number of
Microsoft cloud platforms or services, such as the
Azure PaaS or Office 365 SaaS.11 The final level is
the resource group, which allows the enterprise to
logically group similar resources such as Structured
Query Language (SQL) databases or VMs together
FABRIC
CONTROLLER
for ease of management, such as by application, by
department or by operating environment. Figure 3
illustrates the hierarchy of tenants, management
groups, subscriptions, resource groups and
resources themselves.12, 13
Auditing the Azure Cloud Platform
Before an audit or security assessment begins, it is
important to understand which aspects of Azure the
customer is responsible for and which aspects
Microsoft is responsible for, as this will help focus
audit and assurance activities. Similar to AWS,
Azure operates under the shared responsibility
model, where, depending on the type of services the
customer subscribes to, management of certain
aspects of Azure, such as patch management, are
handled by Microsoft, by the customer or by both
(figure 4).14
Governance Controls
Governance controls are a key factor in shared
responsibility. Even though the cloud provider is
primarily responsible for operating certain controls
within Azure, the customer has an ethical,
professional and moral responsibility to oversee the
cloud provider’s activity for every vendor-managed
control to the extent possible.
ISACA JOURNAL VOL 4 3
 Figure 3—Azure Hierarchy
Azure Active
Directory/Tenant
Root Management Group
Human Resources IT
Subscription
Policy
Source: Microsoft, “Enterprise Governance Management,” https://docs.microsoft.com/en-us/learn/modules/intro-to-governance/
4-management-groups. Reprinted with permission.
Executive management should clearly define an
Azure governance strategy that includes, but is not
limited to, the number of tenants allowed (single or
multitenant); management groups that are logically
organized by business function, geographic location
or the like; subscriptions allowed under each
management group, which are further divided by
operating environment, such as product or
development; and strategies to logically group and
dictate the type of deployed resources associated
with each subscription. As part of its governance
strategy, executive management should consider
declaring and routinely assessing the physical
regions where it deploys Azure resources to ensure
service availability, which involves determining
whether the region meets regulatory or other
compliance needs and whether the region is
capable of fulfilling the enterprise’s availability,
business continuity and disaster recovery needs.
© 2020 ISACA. All rights reserved. www.isaca.org
4 ISACA JOURNAL VOL 4
Policy
Marketing EA Subscription EA Subscription
Resource Group
Resources
Governance audits should also assess whether
management has included adequate enforcement
mechanisms to carry out its governance strategy
through the use of Azure policy, which allows the
enterprise to control where resources can be
deployed (e.g., limiting VM locations to the US
Western Region for the IT management group), how
many and what type of resources can be deployed
(e.g., disallowing the creation of a VM with more
than four central processing units [CPUs]), whether
resources can be created without tagging them, and
many other compliance scenarios.15 Other key
governance-related considerations include the
development, implementation and routine
assessment of a resource-tagging strategy to
support effective cost management, billing
forecasts and monitoring of resources that may be
impacted in the future. Finally, a governance audit
should consider the implementation of routine
ISACA JOURNAL VOL 5

Figure 4—Azure Shared Responsibility Model
On-
Responsibility prem IaaS PaaS SaaS
Data governance
and rights management
Client endpoints
Account and access
management
Identity and directory
infrastructure
Application
Network controls
Operating systems
Physical hosts
Physical network
Physical data center
Microsoft Customer
Source: Microsoft, “Cloud Security Is a Shared Responsibility,”
https://docs.microsoft.com/en-us/learn/modules/intro-to-
security-in-azure/2-shared-responsibility. Reprinted with
permission.
cloud vendor management practices that are
facilitated through the use of Microsoft’s Service
Trust portal, which provides the results of Service
Organization Controls (SOC), the Federal Risk and
Authorization Management Program (FedRAMP),
International Organization for Standardization (ISO)
27001, and Payment Card Industry Data Security
Standard (PCI DSS) attestations for Azure.16
Identity and Access Management
Auditing identity and access management (IdAM)
begins with an assessment of whether
management has declared and documented the
rationale for role-based access controls (RBACs)
applied to management groups, subscriptions,
resource groups and the individuals accessing
resources based on their job functions for all Azure
tenants. The concept of management groups
establishes the basis for effective RBAC, but RBAC
within Azure can be implemented against
management groups, individual subscriptions and
resource groups. To limit the time and resources
needed to manage access, the enterprise should
consider placing related subscriptions and their
resources under associated management groups
and then, to the extent possible, configuring a single
RBAC assignment for each management group. In
this way, access controls cannot be altered by
resources or subscription owners lower in the
management hierarchy, improving security and
allowing easier access management.
Azure can be accessed in many ways, including the
Azure web portal, Azure CLI and Azure Powershell.
The focus of the audit should expand here by
assessing the extent to which management has
identified allowable access methods and the
individuals assigned to sensitive access roles or
groups, such as service contributor or global
administrator. Next, the audit should assess
whether management has enforced the use of
multifactor authentication (MFA) controls for each
role or user posing an elevated access risk. This
includes considering how management has defined
the MFA user access strategy, which can be either
per-user MFA or security access group assignments
using conditional access policies that permit the
enterprise to define conditions that allow or reject
user access.17 Finally, the MFA configuration should
be reviewed to determine whether settings such as
Trusted Internet Protocols (IPs) are enabled that
allow MFA to be bypassed if a request is generated
from a specified IP address range or whether there
are legacy applications such as Office 2010 that do
not support Azure MFA.
“
THE AUDIT SHOULD ASSESS
WHETHER MANAGEMENT HAS
ENFORCED THE USE OF
MULTIFACTOR
AUTHENTICATION (MFA)
CONTROLS FOR EACH ROLE OR
”
USER POSING AN ELEVATED
ACCESS RISK.
Another key audit topic at the IdAM level is the use
of managed service identities (MSIs), which allow a
nonhuman Azure resource, such as a VM or SQL
database, to authenticate without explicitly
presenting credentials.18 MSIs can increase security
by allowing Azure to automatically handle rotating
credentials associated with each MSI; this requires
much less effort to maintain than prior setups
ISACA JOURNAL VOL 4 5
 before MSIs became available in Azure. There are
some drawbacks to the use of MSIs, such as the
limited number of Azure resources that support the
use of MSIs and the fact that MSIs only
authenticate outbound requests from one resource
to another. The audit should focus on the ability to
identify the full population of MSIs in use across
Azure tenants; the rationale behind their use, as they
generate costs; whether the MSI credentials are
securely stored and routinely rotated; and whether
the associated resources for which the MSI has
been created already have embedded credentials,
eliminating the need for an MSI to begin with.
To finalize the audit of IdAM controls, the
assessment should determine whether the use of
single sign-on (SSO) has been leveraged to
streamline password and user management in
enterprise applications; whether there is a banned
password list; whether password policy is enforced
to strengthen user credentials; and whether
resource protection mechanisms, such as resource
locks, are in place to prevent the unauthorized
deletion of critical resources within Azure tenants.
Resource locks can be set against subscriptions,
resource groups and individual resources,
permitting the enterprise to set a delete (allowing all
actions except delete) or read-only policy that
applies regardless of RBAC permissions and serves
as a strong control to protect enterprise data from
accidental or malicious deletion. Auditors should
also assess whether management periodically
revalidates access for users and MSIs to certify that
access is appropriate based on job responsibilities
and that unused accounts and identities are
removed from the Azure environment.
Network Controls
The audit of network security controls in Azure
includes assessing high-level network architecture
and integration points (if any) that have been
configured. Microsoft recommends the use of an N-
tier architecture where simple web applications are
being deployed, such as if the enterprise is
migrating on-premises applications to Azure with
minimal changes and under certain application
development scenarios. The N-tier concept involves
segmenting application resources into distinct tiers,
6 ISACA JOURNAL VOL 4
such as a web tier or a data tier, and restricting
communications between each tier to enhance
security.19 At this level, the audit should determine,
at a minimum, whether a demilitarized zone (DMZ)
exists in front of deployed web-facing applications,
whether a web application firewall (WAF) exists
between the application front end and the Internet,
whether resources in each tier are configured using
distinct subnetworks to isolate each tier, and
whether security groups (firewall rules within Azure)
and routing rules are properly configured to restrict
network traffic between tiers and directly to
resources (preventing direct Remote Desktop
Protocol [RDP] traffic to VMs and requiring a jump-
off box).
Additionally, the audit should determine whether
management has configured the Azure Security
Center or other monitoring tools to identify Internet-
facing resources that do not have network security
groups associated with them and whether
resources exist that are not secured behind
firewalls. Within Azure, Microsoft offers enterprises
a basic protection service to thwart common
distributed denial of service (DDoS)-based attacks,
but for enterprises looking to secure critical data,
the Azure DDoS standard solution may be ideal. It
has a variety of desirable features that the basic
version does not, such as security information and
event management (SIEM) tool integration, access
to Microsoft DDoS experts, post-attack mitigation
reports, and real-time attack metrics that may be
useful in preventing future DDoS attacks.20
Finally, audits at the network level should focus on
existing network integration points, such as those
sourced from the enterprise’s on-premises network
or other business partners that may have
connections to the Azure platform. Through the use
of Azure ExpressRoute, an enterprise can securely
integrate on-premises or other networks with Azure,
using a redundant Border Gateway Protocol (BGP)
connection through an approved third-party
connection provider, such as AT&T, that does not
interact with the public Internet.21 Although Azure
ExpressRoute connections increase privacy and
minimize public intrusion by not communicating
over the Internet, the enterprise must ensure that

layer 2 encryption via Media Access Control
Security (MACSec) or layer 3 encryption using IP
Security (IPSec) is enabled, with the enterprise
encryption keys securely stored and rotated within
the Azure Key Vault. The type of encryption used
depends on the Azure ExpressRoute connectivity
model selected (cloud exchange colocation, point-
to-point Ethernet or any-to-any IP virtual private
network [VPN]) and the enterprise’s specific
connectivity requirements.22 Each integration point
should be assessed routinely for security
appropriateness and justification to exist, and any
changes to the connection configuration should
result in alerts to the appropriate personnel.
Encryption
Data encryption within Azure depends primarily on
the types of resources and Azure services to which
the enterprise subscribes. The audit should start
with an understanding of the overall data protection
or data encryption policy the enterprise has defined
for Azure. An assessment of that policy should
cover the scope of the tenants, subscriptions and
so forth to which the policy applies and the
responsible parties who manage the configurations,
encryption keys and the like. The encryption policy
should also state the accepted algorithms or
ciphers (Secure Hash Algorithm [SHA] or Advanced
Encryption Standard [AES]), the minimum
encryption strength of each algorithm (256 bit vs.
512 bit) applied to each resource type that requires
encryption, and under which scenarios data
encryption should occur (e.g., upon creation, at rest,
in use, in transit).23 Because encryption is the final
protection against unauthorized data manipulation
or loss, it is crucial that the data encryption policy is
well planned and comprehensive enough to cover
all applicable business resources, has proper
executive-level support, and is subjected to ongoing
monitoring via database auditing or virtual desktop
checks to ensure sustained compliance.
There are many encryption options available for
data at rest (data stored on a persistent medium
such as a hard disk drive) and data in transit (data
traveling between public or private networked
devices). The Azure disk encryption service allows
VM disks to be encrypted using either Bitlocker
“
EACH INTEGRATION POINT SHOULD
ROUTINELY BE ASSESSED FOR SECURITY
APPROPRIATENESS AND JUSTIFICATION TO
EXIST, AND ANY CHANGES TO THE CONNECTION
”
CONFIGURATION SHOULD RESULT IN ALERTS TO
THE APPROPRIATE PERSONNEL.
technology for Windows or dm-crypt for Linux. For
both types of encryption keys, storage in the Azure
Key Vault is recommended, and it is capable of
centrally managing all necessary encryption-based
activities such as creating, distributing, rotating and
deleting encryption keys, secrets, digital certificates
and connection strings.24 The Azure Key Vault has
its own separate authentication and authorization
function; it can also create multiple vaults for
various objects and purposes. The audit should
begin by assessing which Azure resources have
been designated to integrate and store encryption
objects (e.g., keys, certificates) in the Azure Key
Vault; the vaults defined in the Azure Key Vault; the
appropriateness of the users, accounts and end
points, such as workstations, that have access to
manage these encryption objects; and whether
there is sufficient monitoring to log the users or
MSIs accessing or changing objects stored in the
Azure Key Vault.
The audit should then concentrate on whether the
enterprise has defined capabilities to restore
accidentally or maliciously deleted key vaults and
their contents through an evaluation of the soft-
delete and purge-protection features available in the
Azure Key Vault.25 A related audit focus at this level
is determining whether the enterprise is routinely
practicing the deletion and recovery of key vaults
and encryption objects to ensure that these
mechanisms work as expected and fully support
emergency recovery efforts related to security
breaches or accidents triggered by personnel.
For any documents, emails or sensitive data
produced using Azure resources, the Azure
ISACA JOURNAL VOL 4 7
 information protection solution can assist with data
classification and data protection using a
combination of encryption and identity
management policies that apply to documents even
after they have been sent outside of Azure tenants,
reducing data leakage. For information created in
Azure, the audit should assess the extent to which
the enterprise seeks to classify, label and control
access to intellectual property created, stored and
transmitted by Azure resources.
Security Incident Response
Assessment of a security incident response plan
(SIRP) includes, but is not limited to, determining
whether defined roles and responsibilities have
been documented and examining the criteria for a
security event (an observable occurrence, such as a
user connecting to a network), a security incident (a
violation of security policy or practice) and a
security breach (a security incident that results in
the loss of enterprise data and/or system
compromise). The SIRP should also detail the
various phases of the response and the expected
actions by responders, such as preparation,
detection and analysis, containment, eradication,
recovery, and postmortem. The audit should focus
on verifying the existence of an SIRP; ensuring that
it has proper executive support within the
enterprise; determining whether its scope includes
Azure tenants, subscriptions and resources;
ensuring that it includes planned incident response
exercises and lessons-learned activities; and
ascertaining that it is routinely reviewed internally
for completeness, accuracy and adequacy.
“
BECAUSE ENCRYPTION IS THE FINAL
PROTECTION AGAINST UNAUTHORIZED DATA
MANIPULATION OR LOSS, IT IS CRUCIAL THAT
THE DATA ENCRYPTION POLICY IS WELL
PLANNED AND COMPREHENSIVE ENOUGH TO
”
COVER ALL APPLICABLE BUSINESS
RESOURCES…
8 ISACA JOURNAL VOL 4
To bolster security incident response capabilities,
Azure Security Center’s standard subscription can
assist in the detection and prevention of and the
timely response to security threats affecting not
only Azure resources, but also on-premises
resources that have been integrated with Azure
tenants.26 At this level, the audit should focus on
determining whether the enterprise routinely
reviews security scores published by the Security
Center, prioritizes the control recommendations
offered by the Security Center and acts on them in a
timely manner. The audit should also identify any
security recommendations the enterprise chooses
not to act on; these should be documented as
security exceptions, with a clear justification for the
enterprise’s failure to follow them. These exceptions
should require the approval of security and IT
operations management, and they should be
routinely reassessed to determine whether the
conditions justifying the exception are still valid.
In addition, audit activity at the security incident
response level should focus on determining
whether Azure Security Center alerts have been
integrated with the enterprise’s SIEM tool or whether
the enterprise has subscribed to an option such as
Azure Sentinel, which is capable of expanding
security incident response capabilities by
performing automated threat detection and
reporting using artificial intelligence (AI) or
responding to common security incidents using
native Security Orchestration Automated Response
(SOAR) functions.27 Finally, the audit should ensure
that the enterprise has registered its contact
information with Microsoft so that it can receive
prompt notification of critical security incidents
affecting the Azure platform. In addition, the
enterprise should subscribe to external threat
intelligence feeds that routinely inform it of
potential threats impacting Azure resources.
Conclusion
The topics discussed here only scratch the surface
of security risk and the controls required to address
it. The companion Azure audit program28 provides a
more comprehensive approach to managing risk

factors, but it is only a general recommendation.
Each enterprise will subscribe to and configure a
different combination of Azure resources. By
adopting a risk-based approach and understanding
the connections between internal Azure resources
and external resources and the data flows in
between, an enterprise can obtain a clearer picture
of where its primary risk lies and which controls are
key to managing that risk. Maintaining some level of
assurance will be the primary challenge, requiring
enterprises to balance available resources against
emerging threats and the malicious actors behind
them. With grit, patience and a measured approach,
enterprises can increase their chances of operating
securely in the Azure cloud and returning
tremendous value to their stakeholders.
Endnotes
1 Stalcup, K.; “AWS vs Azure vs Google Cloud
Market Share 2020: What the Latest Data
Shows,” ParkMyCloud, 5 February 2020,
https://www.parkmycloud.com/blog/aws-vs-
azure-vs-google-cloud-market-share/
2 Ibid.
3 Asay, M.; “Microsoft Keeps Hiding Azure
Revenue Numbers, but Why?” TechRepublic,
26 April 2019, https://www.techrepublic.com/
article/microsoft-keeps-hiding-azure-revenue-
numbers-but-why/
4 Clement, J.; “Amazon Web Services: Quarterly
Revenue 2014–2020,” Statista, 4 May 2020,
https://www.statista.com/statistics/250520/
forecast-of-amazon-web-services-revenue/
5 Microsoft, “Annual Report 2019,”
https://www.microsoft.com/investor/reports/
ar19/index.html
6 Dignan, L.; “Top Cloud Providers in 2020: AWS,
Microsoft Azure, and Google Cloud, Hybrid,
SaaS Players,” ZDNet, 11 May 2020,
https://www.zdnet.com/article/the-top-cloud-
providers-of-2020-aws-microsoft-azure-google-
cloud-hybrid-saas/
7 Microsoft, “What Is Azure?”
https://docs.microsoft.com/en-us/learn/modules/
welcome-to-azure/2-what-is-azure
8 Microsoft, “Tour of Azure Services,”
https://docs.microsoft.com/en-us/learn/modules/
welcome-to-azure/3-tour-of-azure-services
“
THE ENTERPRISE SHOULD
SUBSCRIBE TO EXTERNAL
THREAT INTELLIGENCE
FEEDS THAT ROUTINELY
INFORM IT OF POTENTIAL
”
THREATS IMPACTING AZURE
RESOURCES.
9 Op cit Microsoft, “What Is Azure?”
10 Microsoft, “Quickstart: Set up a Tenant,”
12 March 2020, https://docs.microsoft.com/
en-us/azure/active-directory/develop/
quickstart-create-new-tenant
11 Microsoft, “Subscriptions, Licenses, Accounts,
and Tenants for Microsoft Cloud Offerings, “
8 October 2019, https://docs.microsoft.com/
en-us/office365/enterprise/subscriptions-
licenses-accounts-and-tenants-for-microsoft-
cloud-offerings
12 Thuru’s Blog, “Democratizing Enterprise Cloud
in Azure,” 24 March 2019, https://thuru.net/
2019/03/24/democratizing-enterprise-
cloud-in-azure/
13 Microsoft, “Enterprise Governance Management,”
https://docs.microsoft.com/en-us/learn/
modules/intro-to-governance/4-management-
groups
14 Microsoft, “Cloud Security Is a Shared
Responsibility,” https://docs.microsoft.com/
en-us/learn/modules/intro-to-security-in-
azure/2-shared-responsibility
15 Microsoft, “Define IT Compliance With Azure
Policy,” https://docs.microsoft.com/en-us/
learn/modules/intro-to-governance/
2-azure-policy
16 Microsoft, “Service Trust Portal,”
https://servicetrust.microsoft.com/
17 Microsoft, “Enable Per-User Azure Multi-Factor
Authentication to Secure Sign-in Events,”
13 April 2020, https://docs.microsoft.com/
en-us/azure/active-directory/authentication/
howto-mfa-userstates
ISACA JOURNAL VOL 4 9
 18 Downs, J.; “Demystifying Managed Service
Identities on Azure,” Kloud, 13 April 2018,
https://blog.kloud.com.au/2018/04/13/
demystifying-managed-service-identities-on-azure/
19 Microsoft, “N-Tier Architecture Style,”
30 August 2018, https://docs.microsoft.com/
en-us/azure/architecture/guide/
architecture-styles/n-tier
20 Microsoft, “Azure DDoS Protection Standard
Overview,” 22 January 2020, https://docs.
microsoft.com/en-us/azure/virtual-network/
ddos-protection-overview
21 Microsoft, “ExpressRoute Overview,”
18 September 2019, https://docs.microsoft.com/
en-us/azure/expressroute/expressroute-
introduction
22 Microsoft, “ExpressRoute Connectivity Models,”
18 September 2019, https://docs.microsoft.
com/en-us/azure/expressroute/expressroute-
connectivity-models
10 ISACA JOURNAL VOL 4
23 Abrenio, G.; “How to Develop an Enterprise
Encryption Policy,” Cyber Armed, 15 March
2016, https://www.cyberarmed.com/how-to-
develop-an-enterprise-encryption-policy/
24 Microsoft, “Encryption,”
https://docs.microsoft.com/en-us/learn/modules/
intro-to-security-in-azure/4-encryption
25 Microsoft, “Azure Data Security and Encryption
Best Practices,” 9 March 2020,
https://docs.microsoft.com/en-us/azure/security/
fundamentals/data-encryption-best-practices
26 Microsoft, “Azure Operational Best Practices,”
6 May 2019, https://docs.microsoft.com/
en-us/azure/security/fundamentals/operational-
best-practices
27 Microsoft, “What Is Azure Sentinel?”
24 September 2019, https://docs.microsoft.
com/en-us/azure/sentinel/overview
28 ISACA®, Azure Audit Program, USA, 2010,
https://www.isaca.org/bookstore/
audit-control-and-security-essentials/waazu