Azure has matured impressively over the last few years, and the platform defaults are noticeably better than they were. The catch is that many of the workloads running in production today were created when the defaults were less stringent, and the choices made on day one rarely get revisited. Treating the platform as something that secures itself misses the point. The defaults you accepted years ago are still living in your tenant today.
Public Endpoints Are Still Common
Many PaaS services in Azure used to default to public endpoints that accepted connections from anywhere on the internet. App Service, SQL Database, Cosmos DB and Storage Accounts all had this characteristic at some point. The platform has shifted toward private endpoints as the recommended pattern, but every resource provisioned during the public defaults era still has those defaults baked in unless somebody went back and changed them. A capable Azure pen testing will inventory every internet exposed service and prioritise the ones holding sensitive data.
Diagnostic Logging Tends To Be Off
You cannot investigate what you did not log. Many Azure services ship with diagnostic logging disabled by default, on the assumption that the customer will turn it on if they need it. The reality is that nobody turns it on until they need it, and by the time you need it the incident is already running. Enable diagnostic logging by default for any production resource and forward the events to a sensible destination where they survive long enough to be useful.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
A pattern we have run into repeatedly is a customer requesting an incident investigation and discovering that the logs simply do not exist. The platform was not at fault. The diagnostic settings were never enabled, so the events the customer needed to reconstruct the incident were never recorded.
The Cost Of Drift Compounds
Configuration baselines drift the moment they ship. New services get added with their original defaults. Teams adjust settings to solve immediate problems and forget to revisit them. The accumulated drift, taken across an entire subscription, can move the security posture significantly from where it started. Treat configuration validation as a regular activity rather than a project that runs once. Worth running an automated configuration baseline check on a continuous basis rather than relying on point-in-time audits. The drift accumulates quickly enough that point-in-time checks miss the meaningful changes between cycles.
Encryption Defaults Are Necessary But Not Sufficient
Most Azure services encrypt data at rest by default using platform managed keys. This is a sensible floor. It is not the same as a customer managed key, and it is not the same as having a defensible key management policy. Where regulatory or contractual requirements demand control over the key material, customer managed keys give you the audit story and the revocation control you need. Combine that with a periodic best pen testing company review of the broader configuration baseline and the platform defaults can move from a starting point to a finished position.
Cloud security is about choices, not switches. The defaults are where the work begins. Cloud security improves when treated as a continuous discipline rather than a series of configuration projects. The platforms reward consistent attention with consistently better outcomes. Cloud security is a shared responsibility model in name and a fully owned responsibility model in practice. The configuration choices that matter live on your side of the line, regardless of how the provider markets the platform.
