Domain 1 of 4 · Chapter 1 of 2

Security and Compliance Concepts

The shared responsibility model

Ask one question of any cloud security task and most of this topic falls into place: do you configure it, or does Microsoft run it for you? That single dividing line is the shared responsibility model, and it moves depending on how much of the stack you rent. In an on-premises datacenter you own the whole stack; as you move to the cloud, some duties transfer to Microsoft, and the more managed the service, the more it absorbs (Shared responsibility in the cloud[1]).

Microsoft splits cloud services into three models, and the responsibility boundary sits at a different height in each. With infrastructure as a service (IaaS), such as an Azure virtual machine, Microsoft secures the physical hosts, physical network, and datacenter, and you still own the operating system, applications, and network controls on top. With platform as a service (PaaS), such as Azure App Service, Microsoft additionally runs the operating system, so your job narrows to the application and its data. With software as a service (SaaS), such as Microsoft 365, you consume a finished application and hand almost everything to Microsoft (SC-900 shared responsibility[2]).

What never transfers

Three responsibilities stay with you no matter the model, and this is the single most tested fact in the topic: your information and data, your devices (the phones, laptops, and PCs that reach your services), and your accounts and identities. Because you always own identity, you also always own access management: the role assignments, multifactor authentication, and conditional access that decide who may do what. A band in the middle of the matrix is genuinely shared, most notably the identity and directory infrastructure, applications, network controls, and operating system, where the split depends on whether the service is IaaS, PaaS, or SaaS. The grid below reads left (you own the most, on-premises) to right (Microsoft owns the most, SaaS).

Who is responsible, by service modelResponsibility areaOn-premisesIaaSPaaSSaaSInformation and dataYouYouYouYouDevices (mobile, PCs)YouYouYouYouAccounts and identitiesYouYouYouYouIdentity and directoryinfrastructureYouSharedSharedSharedApplicationsYouYouSharedMicrosoftNetwork controlsYouYouSharedMicrosoftOperating systemYouYouMicrosoftMicrosoftPhysical hostsYouMicrosoftMicrosoftMicrosoftPhysical networkYouMicrosoftMicrosoftMicrosoftPhysical datacenterYouMicrosoftMicrosoftMicrosoftYouSharedMicrosoftData, devices, and identities are always yours
The Microsoft responsibility matrix: data, devices, and identities stay yours in every model, while the physical layers are always Microsoft.

Defense in depth and the CIA triad

No single wall stops every attacker, so defense in depth stacks several independent walls: if one layer is breached, the next still stands between the attacker and your data (SC-900 defense in depth[3]). Microsoft describes seven layers, drawn from the outside in.

  • Physical security limits who can touch the hardware, through locked facilities, badge readers, guards, and cameras.
  • Identity and access authenticates and authorizes users before granting access, using multifactor authentication (MFA), role-based access control (RBAC), and conditional access; even a stolen password can be stopped here.
  • Perimeter protects the network boundary from bulk external attacks, including distributed denial-of-service (DDoS) protection and perimeter firewalls.
  • Network controls traffic between resources through segmentation and network security groups (NSGs), so a compromise in one zone does not automatically reach every other.
  • Compute hardens virtual machines and containers by patching, closing unused ports, and restricting administrative access.
  • Application ensures software ships without exploitable flaws, through secure development and input validation against attacks such as SQL injection.
  • Data is the innermost and most critical layer: access controls, encryption, and data classification protect the information every other layer exists to defend.

The CIA triad

Every layer works toward the same three goals, the CIA triad. Confidentiality keeps data readable only to authorized parties, and a breach of it is what we call a data breach. Integrity keeps data accurate and unaltered except through authorized changes, which is why verifying the hash of a downloaded file is an integrity check. Availability keeps systems reachable for legitimate users, which is exactly what a DDoS attack or ransomware takes away. The three can pull against each other: encrypting everything strengthens confidentiality, but losing the keys destroys availability, so good security balances the three rather than maximizing any one.

Defense in depth: seven layers, outside inPhysical securityIdentity and accessPerimeterNetworkComputeApplicationData (core)OutsideCoreBreach one layer and the next still stands between attacker and data
The seven defense-in-depth layers, outermost (physical) to core (data); every layer serves confidentiality, integrity, and availability.

The Zero Trust model

The traditional security model trusted anything inside the corporate network and guarded only the perimeter. That fails against modern attacks built on stolen identities, phishing, and session hijacking, which do not depend on network location (Zero Trust as a security foundation[4]). Zero Trust replaces perimeter trust with one rule, never trust, always verify, treating every request as if it came from an open network.

Three guiding principles govern every access decision (SC-900 Zero Trust[5]):

  • Verify explicitly. Authenticate and authorize from all available signals: the user identity, sign-in location, the device and its compliance state, the application and data involved, and anomalies such as an unusual sign-in time, rather than from a single factor like a password.
  • Use least privilege access. Grant only the access a task needs, for only as long as it is needed. This is implemented with just-in-time (JIT) access and just-enough-access (JEA), plus risk-based adaptive policies that tighten automatically when activity looks risky.
  • Assume breach. Design as though an attacker is already inside: segment access so a compromised account cannot roam freely, encrypt data end to end, and monitor so a breach is detected and contained quickly.

The pillars

Microsoft enforces these principles across a set of interconnected pillars. Six are the resources and signal sources to defend, identities, devices, applications, data, infrastructure, and networks, and a seventh, visibility, automation, and orchestration, collects the signals from the other six and coordinates the response, typically through security information and event management (SIEM) and security orchestration, automated response (SOAR) tooling. Identity is called out as the primary control plane, because almost every successful attack eventually relies on abusing an identity.

Zero Trust: never trust, always verifyVerify explicitlyEvaluate all signalsIdentity, device, locationRisk and anomaliesUse least privilegeJust-in-time (JIT)Just-enough-access (JEA)Adaptive risk policyAssume breachSegment accessEncrypt end to endMonitor and analyticsEnforced across the Zero Trust pillarsIdentitiesDevicesApplicationsDataInfrastructureNetworksVisibility, automation and orchestration (7th pillar, correlates all six)
Zero Trust: three guiding principles, enforced across six resource pillars plus a seventh that correlates their signals.

Encryption and hashing

Encryption and hashing both turn readable data into something unreadable, but they answer different questions, and telling them apart is the classic trap in this topic. Encryption is reversible: it scrambles data so that only a holder of the correct key can turn it back into plaintext, which is what protects data you must read again later (SC-900 encryption and hashing[6]). Hashing is one-way: it has no key and cannot be reversed.

Two kinds of encryption

Symmetric encryption uses the same secret key to encrypt and decrypt. It is fast and well suited to bulk data such as files or database records, but it raises the key distribution problem, because both sides need the same key and sharing it securely is hard. Asymmetric encryption uses a mathematically related key pair, a public key and a private key, where you cannot derive the private key from the public one. Data encrypted with the public key can be decrypted only with the private key, which solves key distribution because the public key can be shared freely; the reverse direction, signing with the private key and verifying with the public key, produces digital signatures. Asymmetric encryption underpins HTTPS, where Transport Layer Security (TLS) secures the connection between browser and server.

Encryption is also described by the state of the data: at rest (stored on a disk, database, or storage account), in transit (moving across a network, protected by TLS or a VPN), and in use (being processed in memory, protected by confidential computing). Because encryption is only as strong as its keys, key management matters as much as the algorithm: store keys apart from the data, use hardware security modules (HSMs), and rotate keys regularly. Azure Key Vault is Microsoft's managed service for storing keys, secrets, and certificates (Azure Key Vault[7]).

Hashing

Hashing runs any input through an algorithm to a fixed-length value called a hash, or digest. The same input always produces the same hash, and the value cannot be reversed to recover the input, which makes a hash a reliable fingerprint for verifying data without ever storing the original. That is why a system stores the hash of a password rather than the password itself: a stolen database yields only hashes. Because hashing is deterministic, attackers can precompute the hashes of common passwords into rainbow tables, so passwords are salted first. A salt is a unique random value added to each password before hashing, so two identical passwords produce different stored hashes and precomputed tables no longer match.

Encryption vs hashingProtecting dataEncryptionreversible, uses a keyHashingone-way, no keySymmetricone shared keyfast, bulk dataAsymmetricpublic + private pairHTTPS, signaturesFixed-length digestsame input,same hashSalt passwordsunique per hash,blocks rainbow tables
Encryption is reversible with a key, symmetric or asymmetric; hashing is a one-way, keyless digest, salted for passwords.

Governance, risk, and compliance (GRC)

Organizations operate under a growing web of laws about how data is protected, where it may be stored, and who is accountable when something goes wrong. Governance, risk, and compliance (GRC) is the framework of policies, processes, and technology that keeps an organization on the right side of those obligations (SC-900 GRC concepts[8]). Its three parts play distinct roles.

  • Governance is the system of rules, practices, and processes that directs and controls an organization: who may access which resources, who holds administrative rights and for how long, and how data is classified, handled, and retained. Governance creates the structure on which the other two operate.
  • Risk management identifies, assesses, and responds to threats. The goal is not to eliminate all risk but to understand it well enough to make informed decisions. Risk comes from outside (cyberattacks, disasters, suppliers) and inside (accidental exposure, insider threats). The process runs as a loop: identify risks, assess each by impact and likelihood to produce a risk score, respond by choosing to accept, mitigate, transfer (for example through insurance), or avoid the risk, and monitor continuously as the environment changes.
  • Compliance is adherence to the laws, regulations, standards, and policies that apply, which depend on industry, geography, and data type. Familiar examples are HIPAA (US health data), ISO 27001 (an information security management standard), and SOC (an auditing standard for service providers).

Compliance is a floor, not security

A point the exam presses: compliance is not the same as security. Compliance is the minimum a law or regulation demands, while security is the broader set of practices that actually protect data and systems. An organization can be fully compliant and still carry serious vulnerabilities.

Data residency, sovereignty, and privacy

Three data-location terms sit inside compliance and are easy to confuse. Data residency is about where data may be physically stored, and how or when it may be transferred or accessed across borders; the rules differ by jurisdiction. Data sovereignty is the principle that data is subject to the laws of the country or region where it is physically collected, held, or processed, so a single dataset can fall under several jurisdictions as it moves between them. Data privacy is the appropriate handling of personal data, meaning any information that identifies a person, and it requires transparency about what is collected, obtaining consent, and honoring individual rights to access, correct, or delete their data.

The risk management loopIdentifyfind risksAssessimpact × likelihoodRespondchoose a treatmentMonitortrack and re-measureAccept · Mitigate · Transfer · AvoidReassess as the environment changes
Risk management runs as a loop: identify, assess by impact and likelihood, respond (accept, mitigate, transfer, or avoid), then monitor.

Exam pattern recognition

These concepts appear as short "which term fits" or "who is responsible" questions. Anchor on the sharpest distinction in each.

Shared responsibility, who owns it. If the stem names your data, your accounts and identities, or the devices that access your services, the answer is you, in every model including SaaS. If it names the physical datacenter, physical hosts, or physical network, the answer is always Microsoft. The operating system flips with the model: yours on IaaS, Microsoft's on PaaS and SaaS. A classic distractor claims Microsoft owns your identities or your data because the service is managed; it never does.

Encryption vs hashing. If the task must recover the original value later, the answer is encryption, which is reversible and uses a key. If it stores passwords or checks that data was not altered, the answer is hashing, which is one-way and keyless. Within encryption, the same key both ways is symmetric, while a public and private key pair is asymmetric; encrypting with a public key and decrypting with the private key is the asymmetric giveaway. Calling hashing a form of encryption, or claiming a hash can be decrypted, is the trap.

Zero Trust principles. Match the phrase to the principle: evaluating many signals before granting access is verify explicitly; JIT or JEA access is use least privilege; segmenting and encrypting because an attacker may already be inside is assume breach.

Residency vs sovereignty vs compliance. Where data may be stored is residency; whose laws apply to it is sovereignty; meeting a named regulation such as HIPAA or ISO 27001 is compliance. And remember that being compliant is a minimum bar, not proof of being secure.

Encryption (symmetric vs asymmetric) vs hashing

PropertySymmetric encryptionAsymmetric encryptionHashing
KeysOne shared secret keyPublic + private key pairNo key at all
Reversible?Yes, with the shared keyYes, with the private keyNo, it is one-way
OutputCiphertext, variable lengthCiphertext, variable lengthFixed-length digest
Main problem it solvesFast bulk encryptionKey distribution and digital signaturesVerify data without storing the original
Typical useFiles, disks, databases at restHTTPS/TLS, email, code signingPassword storage, file integrity checks
Exam tellSame key encrypts and decryptsEncrypt with public, decrypt with privateOne-way, no key, cannot be undone

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Data, devices, and identities are always your responsibility

In every cloud model, including SaaS, three duties never transfer to Microsoft: your information and data, your devices (the phones, laptops, and PCs that reach your services), and your accounts and identities. Because identity stays yours, so does access management: multifactor authentication, role assignments, and conditional access. These are the most tested 'who is responsible' answers precisely because they never shift to the provider.

Trap Assuming a managed or SaaS service makes Microsoft responsible for your user identities or data; those stay with you no matter how managed the service is.

7 questions test this
The responsibility line rises from IaaS to PaaS to SaaS

On-premises you own the whole stack. With IaaS, Microsoft owns the physical hosts, network, and datacenter while you own the operating system, applications, and network controls. PaaS moves the operating system to Microsoft's side, leaving you the application and its data. SaaS hands almost everything to Microsoft. The more managed the service, the smaller your share.

Trap Putting operating-system patching on the customer for PaaS or SaaS; the OS is Microsoft's responsibility there, and only the customer's on IaaS.

3 questions test this
Physical hosts, network, and datacenter are always Microsoft's in the cloud

Once a workload runs in the cloud, the three physical layers, physical hosts, physical network, and physical datacenter, are Microsoft's responsibility in every service model. The customer never secures the datacenter building, the racks, or the cabling.

Trap Assigning physical datacenter or host security to the customer for IaaS; physical layers are always Microsoft's once you are in the cloud.

3 questions test this
Defense in depth stacks independent layers so one breach is not fatal

Defense in depth uses overlapping controls from the outside in: physical, identity and access, perimeter, network, compute, application, and data at the core. Each layer is independent, so if an attacker gets past one, the next still stands between them and the data. It is the opposite of trusting a single perimeter wall.

1 question tests this
The CIA triad is confidentiality, integrity, and availability

Every security control ultimately serves one of three goals. Confidentiality keeps data readable only to authorized parties. Integrity keeps data accurate and unaltered except by authorized changes. Availability keeps systems reachable for legitimate users. Attacks map to these too: theft targets confidentiality, tampering targets integrity, and a denial-of-service targets availability.

Trap Confusing integrity with confidentiality; integrity is about unauthorized modification or tampering, while confidentiality is about unauthorized reading.

A hash check verifies integrity, not confidentiality

Comparing a downloaded file's hash to the value the publisher lists confirms the file was not altered, which is an integrity control. It reveals nothing about who can read the file, so it gives no confidentiality. Hashing detects change; encryption hides content.

Trap Treating a hash or checksum as a way to keep data secret; it detects tampering but does not conceal the data.

1 question tests this
Zero Trust means never trust, always verify

Zero Trust drops the assumption that anything inside the corporate network is safe and verifies every request as if it came from an open network. It replaces the old perimeter model because modern attacks use stolen identities and phishing that do not depend on network location. Trust is earned per request, not granted by the network.

Trap Assuming traffic from inside the corporate network is automatically trusted; under Zero Trust, network location is never by itself proof of trust.

1 question tests this
Verify explicitly decides from many signals, not one factor

The verify-explicitly principle authenticates and authorizes from all available signals: user identity, sign-in location, the device and its compliance state, the app and data involved, and anomalies such as an unusual sign-in time. The more signals evaluated, the more confidence the right person is reaching the right resource. A single factor like a password is not enough.

Trap Treating a correct password alone as sufficient; verify explicitly weighs multiple signals, so a valid password from an unmanaged device or odd location can still be challenged.

2 questions test this
Least privilege grants just enough access, just in time

The least-privilege principle gives users and systems only the access a task needs, for only as long as it is needed. It is implemented with just-in-time (JIT) access, which grants then revokes, and just-enough-access (JEA), which scopes to the exact permissions required. Risk-based adaptive policies tighten access automatically when activity looks risky.

Assume breach: segment, encrypt, and monitor as if already compromised

The assume-breach principle designs security as though an attacker is already inside. You segment access so a compromised account cannot roam freely, encrypt data end to end so intercepted data is unreadable, and monitor with analytics so a breach is detected and contained quickly. Effort shifts from only keeping attackers out to limiting what they can do once in.

1 question tests this
Zero Trust spans six resource pillars plus a seventh that correlates signals

Microsoft enforces Zero Trust across six pillars that are the resources and signal sources to defend: identities, devices, applications, data, infrastructure, and networks. A seventh pillar, visibility, automation, and orchestration, aggregates the signals from the other six and coordinates the response, typically through SIEM and SOAR tooling. Identity is described as the primary control plane because most attacks eventually abuse one.

2 questions test this
Encryption is reversible with a key; hashing is one-way with no key

Encryption scrambles data so a holder of the correct key can read it back, so it protects data you must recover later. Hashing runs input through a one-way algorithm to a fixed-length digest, uses no key, and cannot be reversed, so it verifies data without storing the original. The choice turns on one question: do you need to read the value back?

Trap Calling hashing a form of encryption or claiming a hash can be decrypted; hashing has no key and is not reversible.

4 questions test this
Symmetric uses one shared key; asymmetric uses a public/private pair

Symmetric encryption uses the same secret key to encrypt and decrypt, which is fast for bulk data but creates the key distribution problem of sharing that key securely. Asymmetric encryption uses a mathematically linked public and private key pair, so the public key can be shared freely and only the matching private key decrypts. Asymmetric is what solves key distribution and underpins HTTPS.

Trap Thinking data encrypted with the public key can be decrypted with that same public key; only the matching private key can decrypt it.

1 question tests this
Public key encrypts and verifies; private key decrypts and signs

In asymmetric encryption the two directions do different jobs. Encrypting with the recipient's public key means only their private key can decrypt it, giving confidentiality. Signing with the sender's private key lets anyone with the public key verify it, giving a digital signature that proves authenticity and integrity. The private key is the one you never share.

Trap Swapping the directions, such as expecting the public key to decrypt or to create a signature; only the private key decrypts and only the private key signs.

1 question tests this
Encryption protects data at rest, in transit, and in use

Data at rest is stored on a disk, database, or storage account, and is encrypted so stolen media stays unreadable. Data in transit is moving across a network and is protected by TLS (as in HTTPS) or a VPN. Data in use is being processed in memory, and is protected by confidential computing that creates a protected execution environment. All three states need their own protection.

Salt passwords before hashing to defeat rainbow tables

Systems store the hash of a password rather than the password, so a stolen database yields only hashes. Because hashing is deterministic, attackers can precompute hashes of common passwords into rainbow tables. Adding a unique random salt to each password before hashing makes two identical passwords produce different stored hashes, so precomputed tables no longer match.

Trap Relying on plain hashing for passwords with no salt; deterministic hashes let attackers match them against precomputed rainbow tables.

1 question tests this
Governance sets the rules, risk ranks the threats, compliance meets the law

Governance is the system of policies and processes that directs how an organization classifies, handles, and grants access to data. Risk management identifies, scores, and treats threats so the organization can make informed decisions. Compliance is adhering to the external laws, regulations, and standards that apply. Governance creates the structure that risk and compliance operate on.

Compliance is a minimum bar, not the same as security

Compliance is the minimum a law or regulation demands, while security is the broader set of practices that actually protect data and systems. Because compliance defines a floor, an organization can pass every required audit and still carry serious vulnerabilities. Meeting a regulation and being secure are not the same claim.

Trap Treating a passed compliance audit as proof the environment is secure; compliance is a minimum standard, not evidence of strong security.

Respond to risk by accepting, mitigating, transferring, or avoiding it

Risk management scores each risk by impact and likelihood, then chooses one of four responses: accept a low risk, mitigate it with controls, transfer it (for example through insurance), or avoid it by changing the process. The goal is not to eliminate all risk but to understand it well enough to decide, then monitor as the environment changes.

Trap Believing risk management aims to remove all risk; the goal is to understand and treat it, and accepting a low risk is a valid response.

Data residency is where data is stored; sovereignty is whose laws apply

Data residency governs where data may be physically stored and how it may cross borders, and the rules vary by jurisdiction. Data sovereignty is the principle that data is subject to the laws of the country or region where it is collected, held, or processed. Because these differ, one dataset can satisfy a residency rule while still falling under another country's laws as it moves.

Trap Using data residency and data sovereignty interchangeably; residency is the physical storage location, sovereignty is which laws govern the data.

Data privacy is the proper handling of personal data

Privacy covers personal data, meaning any information that identifies a person directly or indirectly, such as a name, an email address, or location history. Privacy rules require transparency about what is collected, appropriate consent, and honoring individual rights to access, correct, or delete their data. Organizations are subject to these laws wherever they operate and wherever their customers are located.

Also tested in

References

  1. Shared responsibility in the cloud
  2. SC-900: Describe the shared responsibility model
  3. SC-900: Describe defense in depth
  4. Zero Trust as a security foundation
  5. SC-900: Describe the Zero Trust model
  6. SC-900: Describe encryption and hashing
  7. Azure Key Vault overview
  8. SC-900: Describe governance, risk, and compliance (GRC) concepts