Last Updated on May 15, 2026 by Arnav Sharma
The phrase “secure by design” appears in government mandates, vendor marketing, and architecture guidance with enough frequency that it has started to lose meaning. CISA and the FBI’s Secure by Design guidance, published in 2023 and updated in 2024, gave it a specific technical definition: software and infrastructure where security properties are not added as an afterthought but are intrinsic to the design, making insecurity the difficult outcome rather than the default.
For Azure architects, this is both a design philosophy and a specific set of architectural patterns. This article covers how to implement Secure by Design principles in Azure infrastructure using the tools and services available in 2026.
Why “Bolt-On” Security Fails in Cloud Environments
Traditional enterprise security was designed for static infrastructure. A firewall at the network perimeter, antivirus on endpoints, and a SIEM collecting logs from a known set of servers could provide reasonable coverage when the environment changed slowly and deliberately.
Cloud environments break every assumption that model rests on. Azure infrastructure can provision hundreds of resources in minutes through Infrastructure as Code. Developers can create service principals, storage accounts, and network rules without involving the security team. The attack surface changes continuously and at a speed that reactive security cannot match.
The consequence is that organisations that have migrated to Azure while maintaining a bolt-on security model, applying security controls after deployment rather than embedding them in deployment pipelines, face a structural deficit: their security posture is always behind the current state of their infrastructure.
Secure by Design in Azure means the infrastructure cannot be deployed in an insecure configuration in the first place, not that insecure configurations are detected and remediated after deployment.
The Azure Policy Foundation
Azure Policy is the architectural foundation of Secure by Design in Azure. It enforces configuration standards at the resource level, before and after deployment, using built-in and custom policy definitions.
The critical distinction between Azure Policy effects is the difference between Audit (detects non-compliant resources and reports on them) and Deny (prevents the deployment of non-compliant resources). Audit is a detection control. Deny is a preventive control. Secure by Design requires Deny.
A baseline Secure by Design policy set for Azure should include Deny effects for:
- Storage accounts with public blob access enabled
- Resources deployed without private endpoints in environments that require network isolation
- Virtual machines deployed without Microsoft Defender for Endpoint
- Key Vault instances deployed without soft delete and purge protection enabled
- Resources deployed outside of approved Azure regions
- Resources deployed without required tags (enforcing ownership and classification)
Azure Policy initiatives allow these individual policies to be grouped and applied at the Management Group level, ensuring they apply to every subscription in the hierarchy without needing to be applied individually. The Microsoft Cloud Security Benchmark initiative is a starting point that maps Azure Policy definitions to CIS controls, NIST CSF, and ISO 27001 requirements.
Infrastructure as Code as a Security Control
Terraform and Bicep are not just deployment tools. In a Secure by Design architecture, they are security controls: the only approved path from infrastructure intent to deployed resource, with security properties verified before deployment executes.
The pattern is:
- Infrastructure is defined in Terraform or Bicep with security configurations embedded in the template
- A pre-deployment scan (Checkov for Terraform, PSRule for Azure for Bicep) validates the template against security rules in the CI/CD pipeline
- The pipeline fails if the template contains a misconfiguration, blocking deployment before any resource is created
- Azure Policy Deny effects provide a backstop if resources are deployed outside the IaC pipeline
This architecture means that a developer who writes Terraform without encryption enabled on a storage account gets a pipeline failure and a specific error message pointing to the non-compliant configuration, not a Defender for Cloud alert three days after the resource is live in production.
Defender for DevOps (part of Defender for Cloud) extends this by scanning Azure DevOps and GitHub repositories for secrets, exposed credentials, and IaC misconfigurations, surfacing findings as code annotations in pull requests before merge.
Zero Trust Architecture in Azure
Zero Trust is the network-layer expression of Secure by Design: the assumption that the network is already compromised, that all access requests must be verified regardless of source, and that the minimum necessary access should be granted for the minimum necessary time.
Microsoft’s Azure Zero Trust implementation guidance covers four pillars: identity, devices, applications, and network. For Azure infrastructure, the practical implementation of each is:
Identity: Entra ID with Conditional Access policies that require phishing-resistant MFA for all privileged access, Privileged Identity Management for just-in-time role activation, and risk-based access policies that respond dynamically to Entra ID Protection signals.
Devices: Microsoft Intune device compliance policies as a Conditional Access grant condition, ensuring that only managed and compliant devices can access Azure management interfaces and sensitive applications.
Applications: Azure App Service with Entra ID authentication enabled, API Management with OAuth 2.0 validation, and service-to-service authentication using managed identities rather than client secrets.
Network: Hub-spoke topology with Azure Firewall Premium for all inter-spoke traffic, Private Endpoints for PaaS services (Storage, Key Vault, SQL), and no public internet exposure on management interfaces.
The Azure Landing Zone accelerator (available through the Azure Architecture Center) deploys a management group hierarchy, policy assignments, and network topology that implements these Zero Trust controls as the baseline rather than an overlay, demonstrating that Secure by Design architecture is deployable at scale.
Identity is the New Perimeter: Secure by Design for Entra ID
In cloud environments, identity is the control plane. An attacker with valid credentials and sufficient permissions can bypass network controls, encryption, and endpoint protection entirely. Secure by Design for identity means that the identity architecture itself prevents privilege escalation and lateral movement, not just detects them.
The specific architectural patterns are:
Least privilege by default. Service principals and managed identities receive the minimum RBAC assignment required for their function at the narrowest applicable scope. A managed identity that reads secrets from a single Key Vault has Key Vault Secrets User on that specific Key Vault, not Key Vault Administrator at the subscription level.
No long-lived credentials. Service principals with client secrets are replaced by managed identities wherever Azure services support them. Where external services require service principal authentication, secret rotation is automated through Key Vault reference integration.
No standing privileged access. Human accounts with Azure RBAC assignments at Subscription Owner or higher scope exist only as PIM-eligible assignments, not permanent assignments. Activation requires justification, approval, and triggers an alert in Sentinel.
Break-glass accounts are managed. Two emergency access accounts (break-glass) exist as permanent Global Administrators with FIDO2 keys, stored in physical security, with every sign-in generating a high-priority Sentinel alert. These accounts exist for recovery from lockout scenarios only.
Shift Left: Security in the Development Pipeline
Secure by Design extends to the application layer. Applications deployed to Azure App Service, Azure Container Apps, or AKS should be deployed with security properties verified in the build pipeline, not assessed post-deployment.
The pipeline security controls that matter most for Azure-hosted applications are:
Secret scanning in every repository using Defender for DevOps or GitHub Advanced Security, with pipeline failure on detected secrets. A committed Azure storage connection string or service principal secret should never reach a pull request.
Container image scanning before deployment to Azure Container Registry, using Microsoft Defender for Container Registries or Trivy in the CI pipeline. Images with critical CVEs should fail the pipeline.
Dependency scanning using OWASP Dependency-Check or Dependabot, identifying known vulnerabilities in application dependencies before they reach production.
IaC scanning using Checkov or tfsec to validate Terraform and Bicep templates against security benchmarks, with specific rules for Azure resource configurations that are commonly misconfigured.
The aggregate effect of these pipeline controls is that a security issue caught in a pull request costs a developer 15 minutes. The same issue caught in production costs the security team days of investigation and potential breach notification obligations.
Continuous Compliance: Keeping Secure by Design Enforced Over Time
The hardest part of Secure by Design is not the initial implementation. It is maintaining the security posture as the environment evolves, teams grow, and new services are adopted.
Microsoft Defender for Cloud’s regulatory compliance dashboard provides continuous assessment against frameworks including the Microsoft Cloud Security Benchmark, CIS Azure Foundations Benchmark, and Australian ISM (relevant for arnav.au’s Australian audience operating under ASD guidelines). The dashboard converts policy assessments into a compliance posture score with drill-down to specific failing controls.
Azure Policy’s compliance reporting feeds into the same dashboard, showing which resources are non-compliant with which policies and when they became non-compliant. This is the configuration drift detection mechanism that closes the gap between the designed-secure state and the operational state.
For organisations operating under the Australian Government Information Security Manual (ISM), the Essential Eight maturity model maps directly to Azure policy controls. MFA enforcement maps to Entra ID Conditional Access. Patching maps to Defender Vulnerability Management. Application control maps to Defender for Endpoint’s attack surface reduction rules. Secure by Design in an Australian government or government-adjacent context means the architecture satisfies Essential Eight Maturity Level 2 or 3 as a baseline, not a compliance aspiration.
The Build vs Buy Decision for Secure by Design Tooling
Organisations evaluating CSPM tools beyond the native Defender for Cloud stack face a genuine build-versus-buy decision. Wiz, Orca Security, and Prisma Cloud provide multi-cloud CSPM with attack path analysis, agentless deployment, and integration with third-party ticketing systems. These tools complement rather than replace Defender for Cloud for Azure-first organisations.
The decision framework is straightforward: if the environment is Azure-only or Azure-primary, Defender for Cloud’s native integration, breadth of detection, and inclusion in Microsoft 365 E5 or Defender for Cloud Plans provides the best cost-adjusted coverage. If the environment is genuinely multi-cloud with significant AWS or GCP footprint, the unified visibility of a third-party CSPM tool justifies the additional cost.
The architectural principle is consistent regardless of tooling: security posture management must be continuous, automated, and integrated into deployment pipelines. Quarterly manual audits are not Secure by Design. They are periodic snapshots of a posture that drifts continuously between assessments.
I help organisations secure their cloud infrastructure and stay ahead of evolving cyber threats. Microsoft MVP and Certified Trainer, author of Mastering Azure Security, and founder of arnav.au — a platform for practical Cloud, Cybersecurity, DevOps and AI content.