Capability Brief
Azure Cloud Infrastructure Security Review
We review the Azure infrastructure that supports your applications and platform - from subscription-level controls down to individual resource configurations, container security, and the identity and network boundaries that protect your deployment.
What this is about
Infrastructure security for your applications and platform
When organizations deploy applications on Azure, the security of the underlying infrastructure matters as much as the application code itself. Misconfigured subscriptions, overly permissive network access, weak identity controls, and unpatched container images can all undermine an otherwise well-built application. Casaba reviews the Azure resources that support commercial applications and platform code - the subscriptions, AKS clusters, databases, Key Vaults, networking, and identity configurations that make up the deployment environment.
What we test
Seven focus areas
Azure Subscription and Tenant Configuration
Resource organization, security center recommendations, subscription-level policies, compliance posture, and resource group structure.
Identity and Access Management
MFA enforcement for owner, write, and read accounts on the subscription, Azure Active Directory and Entra ID configuration for service identities, Privileged Identity Management (PIM) for just-in-time access to production resources, admin account separation, service principal and managed identity review.
Network Segmentation
Public vs. private endpoints on Key Vaults, SQL databases, and Kubernetes API servers, NSG rules, egress filtering, network isolation of sensitive resources, virtual network design.
AKS and Container Security
Pod security contexts and namespace isolation, privileged container detection, IMDS endpoint accessibility from pods, container image vulnerability scanning, Helm chart and Dockerfile review, service account token mounting, container CPU and memory limits.
Storage and Database Security
Encryption at rest across services, public access controls on Key Vaults, SQL databases, and storage accounts, key management and rotation practices, purge protection settings, blob access policies.
Logging and Monitoring
Microsoft Defender enablement across platform services (SQL, App Service, Key Vault, Kubernetes), diagnostic logging configuration, Security Center recommendation status, audit trail completeness.
TLS and Certificate Management
TLS version enforcement (1.2 minimum) across all services, cipher suite configuration, certificate hostname validation, SSL/TLS protocol scanning.
How we approach it
Manual review backed by automated scanning
Casaba combines manual review of Azure configurations with automated scanning using ScoutSuite and Azure's own Security Center and Defender dashboards. Consultants are given Reader access to the target Azure subscription and systematically review resource configurations against CIS Azure Benchmarks and Microsoft security recommendations.
For AKS environments, Casaba reviews Helm charts, Dockerfiles, and cluster configurations, then validates findings through dynamic testing from within the cluster using kubectl. Static analysis of container images uses Trivy to identify known CVEs in base images and dependencies. Identity review covers service principals, managed identities, and human accounts with access to production infrastructure, with a focus on least privilege and just-in-time access patterns.
What we find
Typical finding patterns
Missing MFA on Privileged Accounts
Owner accounts or accounts with write access to production Azure subscriptions without multi-factor authentication enabled.
Publicly Exposed Resources
Key Vaults, SQL databases, and Kubernetes API servers configured to accept connections from any network.
Container Image Vulnerabilities
Known CVEs in base images or outdated dependencies running in production AKS clusters.
IMDS Access from AKS Pods
Pods with unrestricted access to the Instance Metadata Service (IMDS), enabling credential theft from Virtual Machine Scale Sets.
Privileged Containers
Containers running in privileged mode or as root without operational necessity.
Host Namespace Sharing
Pods sharing a namespace with the host, exposing node-level processes and credentials.
Disabled Microsoft Defender
Missing or disabled Defender across SQL, App Service, Kubernetes, and other platform services, leaving gaps in threat detection.
Deprecated TLS Versions
SSLv3, TLS 1.0, and TLS 1.1 still accepted by services hosting application traffic, along with SSL certificates with mismatched Common Names.
Inadequate Key Rotation
Inadequate key rotation practices and unencrypted key handoff procedures.
Excessive Permanent Admin Assignments
Permanent administrator roles on production subscriptions without PIM just-in-time controls, expanding the window for credential-based attacks.
Disabled Logging and Auditing
Diagnostic logging and auditing disabled across Key Vault, Kubernetes, SQL, and VM Scale Set services, creating blind spots in incident response.
Public Blob Access
Storage accounts with public blob access enabled in production environments.
Why it matters
Infrastructure misconfigurations undermine application security
Azure environments are complex, and misconfigurations in the infrastructure supporting an application can be just as damaging as vulnerabilities in the code itself. An AKS pod with access to IMDS can steal identity tokens from the underlying Virtual Machine Scale Set and pivot to other Azure resources. A Key Vault exposed to the public internet bypasses the network isolation the application depends on. An admin account without MFA on a production subscription is one credential leak away from full access to customer data. Regular infrastructure reviews by consultants who understand both Azure's configuration surface and real-world attack patterns catch these issues before they are exploited.
Need your systems tested?
We review Azure environments for the misconfigurations that lead to breaches. Let's talk about yours.
Get in touch