Case Study SaaS ·United Kingdom · December 20, 2025

Azure Security Hardening for an Enterprise SaaS Client

A UK-based enterprise SaaS company operating on Azure failed their first ISO 27001 audit due to cloud security control gaps. CyberneticsPlus implemented a comprehensive Azure security programme, achieving certification 4 months later.

47

Security Controls Implemented

94%

Secure Score Achieved

ISO 27001

Certification Gained

Azure Security AssessmentCloud Security HardeningISO 27001 SupportMicrosoft Defender Deployment

Background

A London-based enterprise SaaS company providing HR workflow automation to financial services firms failed their first ISO 27001 Stage 2 audit. The certifying body issued 4 major nonconformities, all related to Annex A.8 technical controls — specifically around cloud infrastructure security.

The company had a well-documented ISMS (policies, risk register, asset register) but their Azure environment had grown rapidly without corresponding security controls. Their Azure secure score at the time of the failed audit: 42%.

CyberneticsPlus was engaged to remediate the cloud security gaps and prepare for a repeat Stage 2 audit within 4 months.

Audit Nonconformities

NC1: Inadequate access control to cloud management plane The audit found 12 Azure AD users with Subscription Owner or Contributor roles at the subscription level — most with no operational need for that level of access. No MFA was enforced.

NC2: Unencrypted data at rest 16 Azure VMs had unmanaged disks (not encrypted by default). 3 Azure SQL databases had Transparent Data Encryption disabled. Blob storage containers had no encryption scope configured.

NC3: Insufficient logging and monitoring Azure Activity Logs were not connected to a Log Analytics workspace. Microsoft Defender for Cloud was in the free tier with no enhanced plans enabled. No alerting configured for security events.

NC4: Inadequate network security controls NSG rules allowed 0.0.0.0/0 inbound on RDP (3389) and SSH (22) for 8 virtual machines. No Just-in-Time VM access. No Azure Firewall or equivalent centralised egress filtering.

Remediation Programme

Week 1–2: Identity and Access

  • Microsoft Entra ID Conditional Access policies deployed:

    • MFA required for all users
    • MFA required with phishing-resistant auth for all privileged roles
    • Device compliance required for access to production resources
    • Legacy authentication protocols blocked

  • Privileged Identity Management (PIM) configured:

    • All Subscription Owner and Contributor assignments converted to PIM-eligible (no persistent assignments)
    • JIT access requires justification and approval
    • Activation time limited to 4 hours maximum

  • Access review of all 12 over-permissioned accounts:

    • 7 accounts had permissions reduced to Reader
    • 3 accounts removed from subscription access entirely (stale)
    • 2 accounts retained Contributor with PIM (infrastructure team leads)

Week 2–3: Encryption and Data Protection

  • All unmanaged disks converted to Azure Managed Disks (encrypted by default with PMK)
  • Encryption at rest enabled on all Azure SQL databases (TDE enabled)
  • Customer-Managed Keys (CMK) configured via Azure Key Vault for the 4 production SQL databases (ISO 27001 Annex A.8.24 compliance)
  • Azure Key Vault deployed:
    • Soft delete retention: 90 days
    • Purge protection enabled
    • Private endpoint configured
    • RBAC model (not legacy access policies)
  • Storage account security: HTTPS-only enforced, TLS 1.2 minimum, shared key access disabled

Week 3–4: Logging and Monitoring

  • Microsoft Defender for Cloud: all relevant Defender plans enabled (Servers, Databases, App Service, Key Vault, Storage)

  • Log Analytics workspace created; diagnostic settings configured for:

    • All 8 virtual machines (Windows Event logs, Syslog)
    • Azure Activity Log (subscription level)
    • Entra ID sign-in and audit logs
    • All Azure SQL database audit logs
    • Key Vault audit events
    • NSG Flow Logs (all NSGs)

  • Microsoft Sentinel deployed:

    • Connected to Log Analytics workspace
    • Enabled analytics rules: Microsoft Security Incident Creation, Anomalous sign-in
    • Alert rules for: Global Admin assigned, Mass deletion of resources, Sign-in from blocked country

  • Azure Monitor alert rules:

    • Subscription Owner role assigned → immediate alert to CISO
    • Security Center recommendation created (Critical) → Slack notification
    • VM auto-shutdown unexpected → alert

Week 4–6: Network Security

  • Just-in-Time VM Access enabled for all 8 VMs:

    • RDP/SSH blocked by default
    • JIT requests require justification, time-limited to 2 hours, locked to requestor IP

  • NSG audit and remediation:

    • All 0.0.0.0/0 inbound rules removed
    • Application Security Groups (ASGs) implemented for workload grouping
    • NSG Flow Logs enabled on all NSGs

  • Azure Firewall deployed in hub VNet:

    • All egress traffic routed through Azure Firewall
    • Threat intelligence-based filtering enabled
    • Application rules for permitted outbound destinations
    • Force-tunnel configured for all spoke VNets

  • Private Endpoints for Azure PaaS services:

    • Azure SQL: moved to Private Endpoint + disabled public endpoint
    • Azure Blob Storage: Private Endpoint for production storage accounts
    • Key Vault: Private Endpoint configured

Week 6–8: Additional Controls

  • Azure Policy initiative created and assigned at subscription level:

    • Require MFA for Subscription Owner
    • Audit VMs without disk encryption
    • Require private endpoints for PaaS services
    • Enforce TLS 1.2 on storage accounts
    • Block public blob access

  • Vulnerability assessment:

    • Microsoft Defender for Servers integrated Qualys agent deployed to all VMs
    • All Critical and High VM vulnerabilities patched within 14 days

  • ISO 27001 evidence preparation:

    • Azure Security Benchmark compliance report (Defender for Cloud) exported as audit evidence
    • Secure Score documented: 42% → 94% (improvement evidence for NC remediation)
    • PIM activity logs exported as evidence of privileged access controls
    • JIT VM access logs as evidence of NC4 remediation

Repeat Audit Outcome

The repeat Stage 2 audit was conducted 4 months after CyberneticsPlus engagement began.

Auditor review:

  • All 4 major nonconformities reviewed against remediation evidence
  • Azure Secure Score trajectory (42% → 94%) presented as evidence of systematic improvement
  • PIM activation logs demonstrated JIT access control
  • Defender for Cloud compliance dashboard showed 87% compliance against ISO 27001 mapped controls

Result: ISO 27001:2022 certification granted — zero major nonconformities in the repeat audit. Two minor observations raised (not blocking for certification): incomplete asset tagging and one non-production environment without diagnostic settings.

The company has since expanded their Defender for Cloud deployment to cover Azure DevOps pipelines and now conducts quarterly cloud security reviews as part of their ISMS surveillance process.

A

Anonymous

SaaS · United Kingdom

Want similar results for your business?

Book a free consultation and we'll assess your current security posture.

Book a Free Consultation