hamburger icon close icon
Azure File Storage

Azure Data Protection: Getting it Right

What Is Azure Data Protection?

Azure data protection refers to a set of practices and tools you can use to create multi-layered Azure security. It includes protections for physical security of data centers, protections for infrastructure, and tools for securing customer data.

Data protection in Azure relies on built-in controls and tools created by a team of Microsoft security experts. These controls and tools are integrated into Azure firmware and hardware and extend protections across your services. In particular, the following tools and technologies are available:

  • Azure Active Directory—enables you to manage your identity and access configurations centrally. This service is compatible with on-premises Active Directory configurations to enable easy migration.
  • Data security and encryption—Azure services come with built-in encryption based on the AES-256 standard. Additionally, you can secure connections with Transport Layer Security (TLS) protocols.
  • Virtual machine security—you can choose from a variety of anti-malware solutions to prevent the infection of your virtual machines. These solutions help ensure that individual machines aren’t compromised and that attackers cannot move from your machines to your broader network.
  • Web application firewalls—firewalls are available to secure web application traffic and prevent the exploitation of common vulnerabilities. These protections are based on OWASP standards.
  • Cloud Services Due Diligence Checklist—an auditing tool designed to help you assess and prepare for migration. It provides benchmarks against which you can measure your current configurations and provides recommendations for standards you need to meet to migrate securely.

In this article, you will learn:

Data Threats in Azure

The wide variety of data that you can store in Azure services can present many threats. Data can be inherently sensitive, such as financial data, or can provide valuable information about your system structure and configurations, like metadata. To ensure data security, it is important to protect all types of data. This requires first understanding where data is stored.


Vulnerable data elements

Compute services, storage, networking



●      Customer package or service configuration files (CSPKG or CSCFG)

●      Data in storage services 

●      Shared access signatures or user keys

●      Service certificates

●      Credential information

Virtual machines

●      Virtual machine images

●      User or admin credentials

●      Endpoint configurations and deployment templates

Virtual networks

●      Pre-shared keys

●      IPs addresses or ranges for gateways

This data and the threats that exist for this data are similar to those in an on-premises environment. The main difference is that cloud-hosted data is often more accessible due to Internet facing endpoints. Types of threats you should be aware of include:

  • Loss—when data is unrecoverable due to theft, hardware failure, or error.
  • Alteration—when the integrity of data is compromised due to corruption, user error, or intentional tampering.
  • Misuse—when data is accidentally or intentionally exposed or shared with unauthorized users.
  • Repudiation—when data is accessed or modified without auditable logs.

Related content: read our guide to customer data security.

 These threats can stem from user mistakes, natural disasters, and attacks. Although all are valid threats, most of your security resources are aimed at preventing attacks. In particular, with cloud data, you need to account for both online and offline attacks.

Attack type



●      Occur when resources are actively running

●      Is typically accomplished through compromised credentials or failures of authentication and authorization mechanisms

●      Often involves transferring data over unprotected or compromised communication channels


●      Occur when unauthorized users move data or physical storage devices

●      Does not require network access and often involves theft of physical devices, such as laptops

●      Often involves attackers modifying system controls or planting malware

Azure Security Capabilities Supporting Data Protection 

This section should highlight data protection solution built into Azure NetApp Files as one of the services that have data protection built in. Snapshot copies and fast restores, Cross region replication, always on encryption.

To help you protect your data, Azure includes several built-in services and utilities. These solutions are all native to Azure and can help you monitor security and apply protections in combination with third-party tools.

Data Protection with Azure NetApp Files

Azure NetApp Files complies with leading industry certifications like HIPAA and GDPR. Along with the default 99.99% availability, this means that you can migrate and securely run industry applications in Azure with confidence. Deep integration with Azure enables a seamless and secure Azure experience, with no storage-centric learning to create, manage, or protect your business data.  

Azure Active Directory (AD)

Azure AD is a cloud-native version of the traditional AD solution for identify and access management. You can use it to define and manage user credentials and permissions across your cloud resources.

Included in Azure AD are features for multi-factor authentication (MFA) and the ability to create conditional access policies. You can use Azure AD to audit permissions, alert to changes, and report on user activity. Through the premium version, you can also enable single sign-on (SSO).

Data Security and Encryption

Azure provides built-in encryption for your data at-rest or in-transit. This encryption is enabled for most services by default and for some services cannot be disabled. At-rest encryption is based on AES-265 and in-transit encryption relies on TLS. You can manage your encryption keys through Azure services, rely on the services to self manage keys, or use Azure Key Vault for centralized management.

  • At-rest encryption—applies to any data stored on physical media, including storage objects and containers.
  • In-transit encryption—applies to data during inter-service requests, network transfers, and during input/output operations.

Virtual Machine Security

To protect your VMs, Azure supports a variety of third-party anti-malware solutions, including Kaspersky, Trend Micro, and Symantec. It also offers Microsoft Anti-malware for Azure Cloud Services and Virtual Machines.

This solution is designed to help you identify and prevent spyware, viruses, and ransomware. It provides real-time detection and protection and includes configurable alerts for incident response.

Related content: read our guide to Azure performance.

Web Application Firewall (WAF)

WAFs are next-generation firewalls designed to protect web applications in the way traditional firewalls protect endpoints. In Azure, WAFs are available through the Azure Application Gateway service. This service is designed to provide centralized protection for your web applications.

The firewall includes traffic filtering rules created by the Open Web Application Security Project (OWASP). You can use this service to protect against the most common web app threats, including SQL injection, code injection, and cross-site scripting.

Cloud Services Due Diligence Checklist

The Cloud Services Due Diligence Checklist is a tool created to help you evaluate your current configurations before moving to Azure. You can also use it to confirm that configurations were correctly addressed post-migration.

The checklist includes benchmarks for security, data management, performance, availability, governance objectives, and service requirements. These benchmarks are aligned with the current standard for cloud service agreements (ISO/IEC 19086).


Azure NetApp Files features Azure’s powerful built-in security infrastructure while supporting any workload type. You can select service and performance levels, set up NetApp Snapshot™ copies, and replicate between regions all through the service.

NetApp Cloud Volumes ONTAP can be used with NetApp SnapMirror technology for cross-AZ and cross-region data replication on Azure. Data is available in its native format with no platform locking and minimum storage consumption on cloud platforms due to Cloud Volumes ONTAP’s built-in storage-efficiency savings. See how NetApp cloud storage solutions prep your company for the future of cloud data.

Register Now

Cloud Data Services