https://learn.microsoft.com/en-us/azure/security/fundamentals/infrastructure-integrity
All components in the software stack that are installed in the Azure environment are custom built
following the Microsoft Security Development Lifecycle (SDL) process. All software components,
including operating system (OS) images and SQL Database, are deployed as part of the change
management and release management process. The OS that runs on all nodes is a customized
version. The exact version is chosen by the fabric controller (FC) according to the role it intends for
the OS to play. In addition, the host OS doesn't allow installation of any unauthorized software
components.
1.2.3 Azure Data Protection
https://learn.microsoft.com/en-us/azure/security/fundamentals/protection-customer-data
Azure provides customers with strong data security, both by default and as customer options.
Data segregation: Azure is a multi-tenant service, which means that multiple customer deployments
and VMs are stored on the same physical hardware. Azure uses logical isolation to segregate each
customer’s data from the data of others. Segregation provides the scale and economic benefits of
multi-tenant services while rigorously preventing customers from accessing one another’s data.
At-rest data protection: Customers are responsible for ensuring that data stored in Azure is
encrypted in accordance with their standards. Azure offers a wide range of encryption capabilities,
giving customers the flexibility to choose the solution that best meets their needs. Azure Key Vault
helps customers easily maintain control of keys that are used by cloud applications and services to
encrypt data. Azure Disk Encryption enables customers to encrypt VMs. Azure Storage Service
Encryption makes it possible to encrypt all data placed into a customer's storage account.
In-transit data protection: Microsoft provides a number of options that can be utilized by customers
for securing data in transit internally within the Azure network and externally across the Internet to
the end user. These include communication through Virtual Private Networks (utilizing IPsec/IKE
encryption), Transport Layer Security (TLS) 1.2 or later (via Azure components such as Application
Gateway or Azure Front Door), protocols directly on the Azure virtual machines (such as Windows
IPsec or SMB), and more.
Additionally, "encryption by default" using MACsec (an IEEE standard at the data-link layer) is
enabled for all Azure traffic travelling between Azure datacenters to ensure confidentiality and
integrity of customer data.