Security and Compliance Concepts
The shared responsibility model
Ask one question of any cloud security task and most of this topic falls into place: do you configure it, or does Microsoft run it for you? That single dividing line is the shared responsibility model, and it moves depending on how much of the stack you rent. In an on-premises datacenter you own the whole stack; as you move to the cloud, some duties transfer to Microsoft, and the more managed the service, the more it absorbs (Shared responsibility in the cloud[1]).
Microsoft splits cloud services into three models, and the responsibility boundary sits at a different height in each. With infrastructure as a service (IaaS), such as an Azure virtual machine, Microsoft secures the physical hosts, physical network, and datacenter, and you still own the operating system, applications, and network controls on top. With platform as a service (PaaS), such as Azure App Service, Microsoft additionally runs the operating system, so your job narrows to the application and its data. With software as a service (SaaS), such as Microsoft 365, you consume a finished application and hand almost everything to Microsoft (SC-900 shared responsibility[2]).
What never transfers
Three responsibilities stay with you no matter the model, and this is the single most tested fact in the topic: your information and data, your devices (the phones, laptops, and PCs that reach your services), and your accounts and identities. Because you always own identity, you also always own access management: the role assignments, multifactor authentication, and conditional access that decide who may do what. A band in the middle of the matrix is genuinely shared, most notably the identity and directory infrastructure, applications, network controls, and operating system, where the split depends on whether the service is IaaS, PaaS, or SaaS. The grid below reads left (you own the most, on-premises) to right (Microsoft owns the most, SaaS).
Defense in depth and the CIA triad
No single wall stops every attacker, so defense in depth stacks several independent walls: if one layer is breached, the next still stands between the attacker and your data (SC-900 defense in depth[3]). Microsoft describes seven layers, drawn from the outside in.
- Physical security limits who can touch the hardware, through locked facilities, badge readers, guards, and cameras.
- Identity and access authenticates and authorizes users before granting access, using multifactor authentication (MFA), role-based access control (RBAC), and conditional access; even a stolen password can be stopped here.
- Perimeter protects the network boundary from bulk external attacks, including distributed denial-of-service (DDoS) protection and perimeter firewalls.
- Network controls traffic between resources through segmentation and network security groups (NSGs), so a compromise in one zone does not automatically reach every other.
- Compute hardens virtual machines and containers by patching, closing unused ports, and restricting administrative access.
- Application ensures software ships without exploitable flaws, through secure development and input validation against attacks such as SQL injection.
- Data is the innermost and most critical layer: access controls, encryption, and data classification protect the information every other layer exists to defend.
The CIA triad
Every layer works toward the same three goals, the CIA triad. Confidentiality keeps data readable only to authorized parties, and a breach of it is what we call a data breach. Integrity keeps data accurate and unaltered except through authorized changes, which is why verifying the hash of a downloaded file is an integrity check. Availability keeps systems reachable for legitimate users, which is exactly what a DDoS attack or ransomware takes away. The three can pull against each other: encrypting everything strengthens confidentiality, but losing the keys destroys availability, so good security balances the three rather than maximizing any one.
The Zero Trust model
The traditional security model trusted anything inside the corporate network and guarded only the perimeter. That fails against modern attacks built on stolen identities, phishing, and session hijacking, which do not depend on network location (Zero Trust as a security foundation[4]). Zero Trust replaces perimeter trust with one rule, never trust, always verify, treating every request as if it came from an open network.
Three guiding principles govern every access decision (SC-900 Zero Trust[5]):
- Verify explicitly. Authenticate and authorize from all available signals: the user identity, sign-in location, the device and its compliance state, the application and data involved, and anomalies such as an unusual sign-in time, rather than from a single factor like a password.
- Use least privilege access. Grant only the access a task needs, for only as long as it is needed. This is implemented with just-in-time (JIT) access and just-enough-access (JEA), plus risk-based adaptive policies that tighten automatically when activity looks risky.
- Assume breach. Design as though an attacker is already inside: segment access so a compromised account cannot roam freely, encrypt data end to end, and monitor so a breach is detected and contained quickly.
The pillars
Microsoft enforces these principles across a set of interconnected pillars. Six are the resources and signal sources to defend, identities, devices, applications, data, infrastructure, and networks, and a seventh, visibility, automation, and orchestration, collects the signals from the other six and coordinates the response, typically through security information and event management (SIEM) and security orchestration, automated response (SOAR) tooling. Identity is called out as the primary control plane, because almost every successful attack eventually relies on abusing an identity.
Encryption and hashing
Encryption and hashing both turn readable data into something unreadable, but they answer different questions, and telling them apart is the classic trap in this topic. Encryption is reversible: it scrambles data so that only a holder of the correct key can turn it back into plaintext, which is what protects data you must read again later (SC-900 encryption and hashing[6]). Hashing is one-way: it has no key and cannot be reversed.
Two kinds of encryption
Symmetric encryption uses the same secret key to encrypt and decrypt. It is fast and well suited to bulk data such as files or database records, but it raises the key distribution problem, because both sides need the same key and sharing it securely is hard. Asymmetric encryption uses a mathematically related key pair, a public key and a private key, where you cannot derive the private key from the public one. Data encrypted with the public key can be decrypted only with the private key, which solves key distribution because the public key can be shared freely; the reverse direction, signing with the private key and verifying with the public key, produces digital signatures. Asymmetric encryption underpins HTTPS, where Transport Layer Security (TLS) secures the connection between browser and server.
Encryption is also described by the state of the data: at rest (stored on a disk, database, or storage account), in transit (moving across a network, protected by TLS or a VPN), and in use (being processed in memory, protected by confidential computing). Because encryption is only as strong as its keys, key management matters as much as the algorithm: store keys apart from the data, use hardware security modules (HSMs), and rotate keys regularly. Azure Key Vault is Microsoft's managed service for storing keys, secrets, and certificates (Azure Key Vault[7]).
Hashing
Hashing runs any input through an algorithm to a fixed-length value called a hash, or digest. The same input always produces the same hash, and the value cannot be reversed to recover the input, which makes a hash a reliable fingerprint for verifying data without ever storing the original. That is why a system stores the hash of a password rather than the password itself: a stolen database yields only hashes. Because hashing is deterministic, attackers can precompute the hashes of common passwords into rainbow tables, so passwords are salted first. A salt is a unique random value added to each password before hashing, so two identical passwords produce different stored hashes and precomputed tables no longer match.
Governance, risk, and compliance (GRC)
Organizations operate under a growing web of laws about how data is protected, where it may be stored, and who is accountable when something goes wrong. Governance, risk, and compliance (GRC) is the framework of policies, processes, and technology that keeps an organization on the right side of those obligations (SC-900 GRC concepts[8]). Its three parts play distinct roles.
- Governance is the system of rules, practices, and processes that directs and controls an organization: who may access which resources, who holds administrative rights and for how long, and how data is classified, handled, and retained. Governance creates the structure on which the other two operate.
- Risk management identifies, assesses, and responds to threats. The goal is not to eliminate all risk but to understand it well enough to make informed decisions. Risk comes from outside (cyberattacks, disasters, suppliers) and inside (accidental exposure, insider threats). The process runs as a loop: identify risks, assess each by impact and likelihood to produce a risk score, respond by choosing to accept, mitigate, transfer (for example through insurance), or avoid the risk, and monitor continuously as the environment changes.
- Compliance is adherence to the laws, regulations, standards, and policies that apply, which depend on industry, geography, and data type. Familiar examples are HIPAA (US health data), ISO 27001 (an information security management standard), and SOC (an auditing standard for service providers).
Compliance is a floor, not security
A point the exam presses: compliance is not the same as security. Compliance is the minimum a law or regulation demands, while security is the broader set of practices that actually protect data and systems. An organization can be fully compliant and still carry serious vulnerabilities.
Data residency, sovereignty, and privacy
Three data-location terms sit inside compliance and are easy to confuse. Data residency is about where data may be physically stored, and how or when it may be transferred or accessed across borders; the rules differ by jurisdiction. Data sovereignty is the principle that data is subject to the laws of the country or region where it is physically collected, held, or processed, so a single dataset can fall under several jurisdictions as it moves between them. Data privacy is the appropriate handling of personal data, meaning any information that identifies a person, and it requires transparency about what is collected, obtaining consent, and honoring individual rights to access, correct, or delete their data.
Exam pattern recognition
These concepts appear as short "which term fits" or "who is responsible" questions. Anchor on the sharpest distinction in each.
Shared responsibility, who owns it. If the stem names your data, your accounts and identities, or the devices that access your services, the answer is you, in every model including SaaS. If it names the physical datacenter, physical hosts, or physical network, the answer is always Microsoft. The operating system flips with the model: yours on IaaS, Microsoft's on PaaS and SaaS. A classic distractor claims Microsoft owns your identities or your data because the service is managed; it never does.
Encryption vs hashing. If the task must recover the original value later, the answer is encryption, which is reversible and uses a key. If it stores passwords or checks that data was not altered, the answer is hashing, which is one-way and keyless. Within encryption, the same key both ways is symmetric, while a public and private key pair is asymmetric; encrypting with a public key and decrypting with the private key is the asymmetric giveaway. Calling hashing a form of encryption, or claiming a hash can be decrypted, is the trap.
Zero Trust principles. Match the phrase to the principle: evaluating many signals before granting access is verify explicitly; JIT or JEA access is use least privilege; segmenting and encrypting because an attacker may already be inside is assume breach.
Residency vs sovereignty vs compliance. Where data may be stored is residency; whose laws apply to it is sovereignty; meeting a named regulation such as HIPAA or ISO 27001 is compliance. And remember that being compliant is a minimum bar, not proof of being secure.
Encryption (symmetric vs asymmetric) vs hashing
| Property | Symmetric encryption | Asymmetric encryption | Hashing |
|---|---|---|---|
| Keys | One shared secret key | Public + private key pair | No key at all |
| Reversible? | Yes, with the shared key | Yes, with the private key | No, it is one-way |
| Output | Ciphertext, variable length | Ciphertext, variable length | Fixed-length digest |
| Main problem it solves | Fast bulk encryption | Key distribution and digital signatures | Verify data without storing the original |
| Typical use | Files, disks, databases at rest | HTTPS/TLS, email, code signing | Password storage, file integrity checks |
| Exam tell | Same key encrypts and decrypts | Encrypt with public, decrypt with private | One-way, no key, cannot be undone |
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
In every cloud model, including SaaS, three duties never transfer to Microsoft: your information and data, your devices (the phones, laptops, and PCs that reach your services), and your accounts and identities. Because identity stays yours, so does access management: multifactor authentication, role assignments, and conditional access. These are the most tested 'who is responsible' answers precisely because they never shift to the provider.
Trap Assuming a managed or SaaS service makes Microsoft responsible for your user identities or data; those stay with you no matter how managed the service is.
7 questions test this
- Your organization uses Microsoft Entra ID to manage identities. In the shared responsibility model, which task is Microsoft responsible for?
- Your organization uses sensitivity labels from Microsoft Purview Information Protection to classify documents stored in Azure. In the…
- According to the shared responsibility model, which responsibility always remains with the customer regardless of whether the cloud…
- Your organization uses Microsoft Entra ID (formerly Azure Active Directory) as its identity provider. In the shared responsibility model,…
- Your organization uses Microsoft Entra ID to manage user identities for accessing Azure resources. Which task is the customer's…
- In the Azure shared responsibility model, which security task always remains with the customer regardless of the cloud service type?
- According to the Azure shared responsibility model, which combination of security areas is always the customer's responsibility across all…
- The responsibility line rises from IaaS to PaaS to SaaS
On-premises you own the whole stack. With IaaS, Microsoft owns the physical hosts, network, and datacenter while you own the operating system, applications, and network controls. PaaS moves the operating system to Microsoft's side, leaving you the application and its data. SaaS hands almost everything to Microsoft. The more managed the service, the smaller your share.
Trap Putting operating-system patching on the customer for PaaS or SaaS; the OS is Microsoft's responsibility there, and only the customer's on IaaS.
3 questions test this
- Your organization uses Microsoft Entra ID to manage identities. In the shared responsibility model, which task is Microsoft responsible for?
- Your organization uses Microsoft 365 for email and collaboration. According to the shared responsibility model, which area is managed by…
- Your organization plans to migrate a web application from an Azure Virtual Machine to Azure App Service. How does the responsibility for…
- Physical hosts, network, and datacenter are always Microsoft's in the cloud
Once a workload runs in the cloud, the three physical layers, physical hosts, physical network, and physical datacenter, are Microsoft's responsibility in every service model. The customer never secures the datacenter building, the racks, or the cabling.
Trap Assigning physical datacenter or host security to the customer for IaaS; physical layers are always Microsoft's once you are in the cloud.
3 questions test this
- Your company uses both Azure Virtual Machines and Microsoft 365. In the shared responsibility model, which area is managed by Microsoft…
- Your organization migrates virtual machines from an on-premises datacenter to Azure IaaS and plans to use Microsoft Entra ID for identity…
- Select the answer that correctly completes the sentence. When an organization migrates from an on-premises datacenter to Azure, the…
- Defense in depth stacks independent layers so one breach is not fatal
Defense in depth uses overlapping controls from the outside in: physical, identity and access, perimeter, network, compute, application, and data at the core. Each layer is independent, so if an attacker gets past one, the next still stands between them and the data. It is the opposite of trusting a single perimeter wall.
- The CIA triad is confidentiality, integrity, and availability
Every security control ultimately serves one of three goals. Confidentiality keeps data readable only to authorized parties. Integrity keeps data accurate and unaltered except by authorized changes. Availability keeps systems reachable for legitimate users. Attacks map to these too: theft targets confidentiality, tampering targets integrity, and a denial-of-service targets availability.
Trap Confusing integrity with confidentiality; integrity is about unauthorized modification or tampering, while confidentiality is about unauthorized reading.
- A hash check verifies integrity, not confidentiality
Comparing a downloaded file's hash to the value the publisher lists confirms the file was not altered, which is an integrity control. It reveals nothing about who can read the file, so it gives no confidentiality. Hashing detects change; encryption hides content.
Trap Treating a hash or checksum as a way to keep data secret; it detects tampering but does not conceal the data.
- Zero Trust means never trust, always verify
Zero Trust drops the assumption that anything inside the corporate network is safe and verifies every request as if it came from an open network. It replaces the old perimeter model because modern attacks use stolen identities and phishing that do not depend on network location. Trust is earned per request, not granted by the network.
Trap Assuming traffic from inside the corporate network is automatically trusted; under Zero Trust, network location is never by itself proof of trust.
- Verify explicitly decides from many signals, not one factor
The verify-explicitly principle authenticates and authorizes from all available signals: user identity, sign-in location, the device and its compliance state, the app and data involved, and anomalies such as an unusual sign-in time. The more signals evaluated, the more confidence the right person is reaching the right resource. A single factor like a password is not enough.
Trap Treating a correct password alone as sufficient; verify explicitly weighs multiple signals, so a valid password from an unmanaged device or odd location can still be challenged.
- Least privilege grants just enough access, just in time
The least-privilege principle gives users and systems only the access a task needs, for only as long as it is needed. It is implemented with just-in-time (JIT) access, which grants then revokes, and just-enough-access (JEA), which scopes to the exact permissions required. Risk-based adaptive policies tighten access automatically when activity looks risky.
- Assume breach: segment, encrypt, and monitor as if already compromised
The assume-breach principle designs security as though an attacker is already inside. You segment access so a compromised account cannot roam freely, encrypt data end to end so intercepted data is unreadable, and monitor with analytics so a breach is detected and contained quickly. Effort shifts from only keeping attackers out to limiting what they can do once in.
1 question tests this
- Zero Trust spans six resource pillars plus a seventh that correlates signals
Microsoft enforces Zero Trust across six pillars that are the resources and signal sources to defend: identities, devices, applications, data, infrastructure, and networks. A seventh pillar, visibility, automation, and orchestration, aggregates the signals from the other six and coordinates the response, typically through SIEM and SOAR tooling. Identity is described as the primary control plane because most attacks eventually abuse one.
- Encryption is reversible with a key; hashing is one-way with no key
Encryption scrambles data so a holder of the correct key can read it back, so it protects data you must recover later. Hashing runs input through a one-way algorithm to a fixed-length digest, uses no key, and cannot be reversed, so it verifies data without storing the original. The choice turns on one question: do you need to read the value back?
Trap Calling hashing a form of encryption or claiming a hash can be decrypted; hashing has no key and is not reversible.
4 questions test this
- How does Microsoft Entra ID verify a user's password during sign-in when password hash synchronization is configured?
- What is a key property of a hash function that makes it suitable for verifying data integrity?
- Select the answer that correctly completes the sentence. Regardless of the size of the input data, a hash function always produces [answer…
- Azure Key Vault can store secrets such as passwords. Which statement correctly describes hashing as it relates to protecting password…
- Symmetric uses one shared key; asymmetric uses a public/private pair
Symmetric encryption uses the same secret key to encrypt and decrypt, which is fast for bulk data but creates the key distribution problem of sharing that key securely. Asymmetric encryption uses a mathematically linked public and private key pair, so the public key can be shared freely and only the matching private key decrypts. Asymmetric is what solves key distribution and underpins HTTPS.
Trap Thinking data encrypted with the public key can be decrypted with that same public key; only the matching private key can decrypt it.
- Public key encrypts and verifies; private key decrypts and signs
In asymmetric encryption the two directions do different jobs. Encrypting with the recipient's public key means only their private key can decrypt it, giving confidentiality. Signing with the sender's private key lets anyone with the public key verify it, giving a digital signature that proves authenticity and integrity. The private key is the one you never share.
Trap Swapping the directions, such as expecting the public key to decrypt or to create a signature; only the private key decrypts and only the private key signs.
- Encryption protects data at rest, in transit, and in use
Data at rest is stored on a disk, database, or storage account, and is encrypted so stolen media stays unreadable. Data in transit is moving across a network and is protected by TLS (as in HTTPS) or a VPN. Data in use is being processed in memory, and is protected by confidential computing that creates a protected execution environment. All three states need their own protection.
- Salt passwords before hashing to defeat rainbow tables
Systems store the hash of a password rather than the password, so a stolen database yields only hashes. Because hashing is deterministic, attackers can precompute hashes of common passwords into rainbow tables. Adding a unique random salt to each password before hashing makes two identical passwords produce different stored hashes, so precomputed tables no longer match.
Trap Relying on plain hashing for passwords with no salt; deterministic hashes let attackers match them against precomputed rainbow tables.
- Governance sets the rules, risk ranks the threats, compliance meets the law
Governance is the system of policies and processes that directs how an organization classifies, handles, and grants access to data. Risk management identifies, scores, and treats threats so the organization can make informed decisions. Compliance is adhering to the external laws, regulations, and standards that apply. Governance creates the structure that risk and compliance operate on.
- Compliance is a minimum bar, not the same as security
Compliance is the minimum a law or regulation demands, while security is the broader set of practices that actually protect data and systems. Because compliance defines a floor, an organization can pass every required audit and still carry serious vulnerabilities. Meeting a regulation and being secure are not the same claim.
Trap Treating a passed compliance audit as proof the environment is secure; compliance is a minimum standard, not evidence of strong security.
- Respond to risk by accepting, mitigating, transferring, or avoiding it
Risk management scores each risk by impact and likelihood, then chooses one of four responses: accept a low risk, mitigate it with controls, transfer it (for example through insurance), or avoid it by changing the process. The goal is not to eliminate all risk but to understand it well enough to decide, then monitor as the environment changes.
Trap Believing risk management aims to remove all risk; the goal is to understand and treat it, and accepting a low risk is a valid response.
- Data residency is where data is stored; sovereignty is whose laws apply
Data residency governs where data may be physically stored and how it may cross borders, and the rules vary by jurisdiction. Data sovereignty is the principle that data is subject to the laws of the country or region where it is collected, held, or processed. Because these differ, one dataset can satisfy a residency rule while still falling under another country's laws as it moves.
Trap Using data residency and data sovereignty interchangeably; residency is the physical storage location, sovereignty is which laws govern the data.
- Data privacy is the proper handling of personal data
Privacy covers personal data, meaning any information that identifies a person directly or indirectly, such as a name, an email address, or location history. Privacy rules require transparency about what is collected, appropriate consent, and honoring individual rights to access, correct, or delete their data. Organizations are subject to these laws wherever they operate and wherever their customers are located.
Also tested in
References
- Shared responsibility in the cloud
- SC-900: Describe the shared responsibility model
- SC-900: Describe defense in depth
- Zero Trust as a security foundation
- SC-900: Describe the Zero Trust model
- SC-900: Describe encryption and hashing
- Azure Key Vault overview
- SC-900: Describe governance, risk, and compliance (GRC) concepts