Azure Landing Zone and compliance for Banks (Indian Banks)

1.     Azure Landing Zone for Banks

Azure Landing Zone (ALZ) is a predefined, policy-driven cloud foundation that enables banks to securely host regulated workloads while meeting governance, security, audit, and compliance mandates.

Core ALZ Principles

• Subscription isolation by environment and risk tier
• Centralized identity and access management
• Hub-and-Spoke network architecture
• Security-by-default with Zero Trust
• Policy-as-code enforcement
• Full auditability and traceability

2. Reference Architecture (Banking Grade)

Management Group Hierarchy

• Root Management Group (Bank)
• Platform MG

o   Connectivity Subscription

o   Security Subscription

o   Management Subscription

• Landing Zone MG

o   Production Subscriptions

o   Non-Production Subscriptions

o   DR Subscriptions

Compliance Value: Enforces segregation of duties, blast-radius containment, and audit scope isolation.

3. Identity & Access Management (IAM)

Azure Services

• Microsoft Entra ID (Azure AD)
• Privileged Identity Management (PIM)
• Conditional Access
• MFA (Mandatory)

Compliance Mapping

4. Network Security Architecture

Mandatory Controls

• Hub-Spoke VNets
• Azure Firewall Premium (IDPS, TLS inspection)
• NSGs + UDRs
• Azure DDoS Protection Standard
• Private Endpoints for PaaS
• No direct internet exposure to core workloads

Compliance Mapping

5. Data Protection & Cryptography

Azure Services

• Azure Key Vault (HSM-backed)
• Customer Managed Keys (CMK)
• Encryption at Rest & Transit
• Azure Disk Encryption

Compliance Mapping

6. Logging, Monitoring & SIEM

Azure Services

• Azure Monitor
• Log Analytics
• Microsoft Sentinel
• Defender for Cloud

Controls Implemented

• Centralized log retention (minimum 1 year)
• Immutable audit logs
• Real-time security alerts
• Integration with Bank SOC/SIEM

Compliance Mapping

7. Vulnerability Management & Threat Protection

Azure Services

• Microsoft Defender for Cloud
• Vulnerability Assessment
• Azure Update Manager

Compliance Mapping

8. Business Continuity & Disaster Recovery

Azure Services

• Azure Site Recovery (ASR)
• Azure Backup
• Multi-region deployment (India regions)

Controls

• Defined RPO/RTO per application
• DR drills (minimum annually)
• Separate DR subscriptions

Compliance Mapping

9. Data Residency & Sovereignty (India)

Controls

• Deployment restricted to Azure India regions
• Azure Policy to block non-India regions
• Geo-redundancy within India only
• Controlled cross-border access

RBI Alignment: Data localization, supervisory access, audit rights.

10. Governance, Policy & Compliance Automation

Azure Services

• Azure Policy
• Policy Initiatives (Regulatory Compliance)
• Azure Blueprints (where applicable)

Examples

• Deny public IP on VMs
• Enforce encryption
• Enforce diagnostic logging
• Restrict SKU usage

11. Audit, Regulatory & Supervisory Access

Controls

• Read-only auditor access via RBAC
• Exportable logs and reports
• Documented HLD/LLD
• Support for RBI / CERT-In audits

12. Exit Management & Data Destruction

Controls

• VM export (VHD)
• Secure wipe (NIST-aligned)
• Certificate of data destruction
• Knowledge transfer

13. Summary – Why Azure Landing Zone for Banks

• Microsoft CAF-aligned architecture
• Regulator-accepted controls
• India data residency
• Strong audit and exit posture
• Proven adoption by Tier-1 banks