Cyber resilience is not a product you deploy or a feature you turn on. It is not something you can buy and layer onto an environment after the fact. It is the outcome of architectural decisions made early, often before an organization has experienced a serious incident. This is what people mean by ‘Secure-By-Design’—that architectures, training, employees, indeed entire organizations are built to withstand disruption.
In cloud environments, those decisions surface most clearly in how identity is scoped, how trust boundaries are enforced, and how recovery workflows behave under failure conditions.
When resilience is treated as an add-on capability, it often depends on broad permissions, shared trust domains, and opaque processing paths that function in steady state but fail during an actual incident. These are all platform-level concerns. In Azure, they are defined by how identity, networking, and subscription boundaries are designed and enforced.
That is why cyber resilience cannot be addressed independently of the underlying cloud architecture and why it requires coordination between the platform and the systems that protect and recover data. Both must employ ‘Secure-By-Design’ principals.
This is where Microsoft and Rubrik work together to help joint customers recover cleanly, even when parts of the Azure environment are compromised. Azure establishes the core trust boundaries through Entra ID, Azure networking, and tenant/subscription isolation. Rubrik operates within those boundaries, extending them into data protection and recovery workflows without bypassing the platform controls they rely on.
Identity First Security: The “Least Privilege" Approach
Identity is the primary control plane in modern cloud environments. Human access, service-to-service communication, and automation workflows all depend on it. When identity is compromised, attackers can move laterally, abuse APIs, and manipulate infrastructure at scale. Any recovery architecture that does not account for this reality will fail under pressure.
Rubrik’s integration with Azure prioritizes strict identity boundaries and least-privilege access. It uses Azure Entra ID service principals scoped to individual tenants and operates without standing administrative permissions.
Additionally, customers can configure Rubrik with backup-only permissions, limiting its ability to perform recovery operations unless broader access is explicitly granted. How and when restore permissions are elevated is controlled by the customer and governed by Azure’s native identity model, rather than enforced implicitly by the platform.
Rubrik does not bypass identity governance, introduce alternate credential stores, or rely on long-lived static secrets. All authentication flows through Entra ID and remains subject to the same access policies, auditing, and conditional access controls that govern the rest of the Azure environment.
This approach reduces blast radius by design. A compromised identity cannot be used to silently escalate privileges or trigger destructive recovery actions. The same identity controls that protect production also constrain the recovery system, ensuring that data protection does not become a privileged exception during an incident.
Data Sovereignty and Processing: The Exocompute Model
Data sovereignty in cloud environments is not defined by policy statements. It is defined by where data is stored, where it is processed, and which trust boundaries control that activity. During a cyber incident, those details matter. If backup data or recovery workflows escape customer-owned boundaries, sovereignty and recoverability quickly break down.
Rubrik’s architecture on Azure keeps both data and data processing under customer control. Backup data can be stored within the same subscription as production workloads—in a separate customer-owned subscription, or logically air-gapped within Rubrik Cloud Vault. This introduces an additional isolation boundary, reducing the impact of subscription-level compromise or administrative misuse during an incident. This isolation is architectural, enforced by Azure’s native account and subscription boundaries.
Data processing is handled through Exocompute, an Azure Kubernetes Service (AKS) environment deployed into the customer’s subscription. Snapshot ingestion, indexing, and lifecycle operations execute within that environment. Processing does not shift into a shared SaaS execution layer during backup or recovery and is always confined to customer-defined Azure trust boundaries.
Exocompute is intentionally ephemeral. Compute capacity scales based on demand and contracts when idle, limiting both cost and exposure. Persistent services are minimized and long-lived processing components are avoided. This reduces the attack surface associated with idle infrastructure while preserving the ability to scale quickly during backup and recovery operations.
Rubrik Security Cloud, a SaaS-based application, functions as the control plane. It maintains system state, configuration, and operational metadata required to manage protection and recovery workflows. It does not store customer snapshots, files, or application data. This separation between control plane and data plane ensures that compromise of the SaaS layer does not result in direct access to customer data, or vice-versa.
This model reflects a deliberate alignment with Azure’s architectural guidance. Azure provides the isolation primitives through subscriptions, networking, and managed Kubernetes infrastructure. Rubrik builds on those primitives rather than replacing them. The result is a data protection and recovery architecture that preserves sovereignty and containment, even when the primary environment must be treated as untrusted.
Hardening the Core: Securing the AKS environment
Exocompute runs as customer-deployed infrastructure inside Azure, which means its security posture is part of the customer’s overall trust boundary. It cannot be treated as a privileged exception or an opaque service layer. If the compute environment responsible for snapshot processing and recovery is weakly isolated or overly permissive, it becomes a liability during an incident.
Rubrik builds Exocompute on Azure Kubernetes Service and secures it using Azure-native controls. Access to the Kubernetes control plane is integrated with Microsoft Entra ID and subject to Azure role-based access control and auditing. This aligns administrative access to Exocompute with the same identity governance model used elsewhere in the Azure environment rather than introducing separate access mechanisms or unmanaged credentials.
Exocompute is deployed using Azure’s private cluster model. The Kubernetes API server is not exposed to the public internet and control plane and node communication remains within customer-defined private networking. This reduces external attack surface and ensures that administrative access to the cluster is constrained by the same network boundaries that protect other sensitive workloads.
Exocompute does not rely on hidden access paths or privileged shortcuts to perform its functions. Its operation is intentionally constrained by Azure identity and networking boundaries, including during recovery operations when activity levels increase and the environment may already be under stress.
By treating Exocompute as part of the customer security perimeter and securing it accordingly, Rubrik avoids introducing a secondary control plane with elevated trust. The result is a data processing environment that scales when needed, remains governed by Azure controls and does not expand blast radius during recovery.
Securing Data in Transit and At Rest
Backup and recovery workflows operate across large portions of the environment and interact directly with sensitive data. They require access to production, to snapshots, to storage services, and compute resources at scale. The security of these workflows is therefore defined by how tightly access paths are scoped, how long access persists and where enforcement occurs. Poorly constrained access introduces risk to the environment. Properly constrained access does not.
Rubrik’s approach relies on Azure-native security mechanisms and on limiting how data is accessed during protection and recovery operations. Data transfers between protected workloads, Exocompute, and storage targets are encrypted in transit using standard Azure-supported protocols such as TLS 1.2 or higher. This applies consistently during routine backup activity and during large-scale recovery operations—so data in motion remains protected, even when operational volume increases.
At rest, Rubrik leverages Azure’s native storage encryption. Backup data stored in Azure-native storage services inherits Microsoft’s platform encryption by default. For customers choosing to use their own keys, Rubrik integrates with Azure Key Vault using Managed Identities. Key usage is limited to require cryptographic operations—and access to the keys must be governed by the Managed Identity, which in turn requires only wrap and unwrap permissions. This preserves customer control over encryption keys while avoiding long-lived credentials or out-of-band access paths. Within Exocompute, host-based encryption on AKS nodes protects transient data created during snapshot processing and restore workflows. This reduces exposure associated with temporary data persistence during active operations.
Access to created snapshots during backup, archival, and recovery operations is intentionally scoped and time-limited. Rubrik uses Shared Access Signatures (SAS URIs) to obtain narrowly defined, temporary access to required storage resources instead of relying on persistent storage account keys. This limits the scope and duration of access and reduces the impact of token exposure during active operations.
Authentication to storage services is handled through Microsoft Entra ID rather than shared secrets. The service principal defined during onboarding is used to authorize storage access, keeping these interactions within Azure’s existing identity governance model. Network access to backup storage remains under customer control, with options to restrict access through private endpoints or defined network paths, ensuring data movement does not bypass established network boundaries and remains within the Azure backbone.
Taken together, these controls ensure that data protection and recovery workflows do not become privileged exceptions within the environment. Encryption, scoped access, identity-based authorization, and customer-controlled network boundaries work together to keep backup and recovery aligned with the same security constraints that protect production workloads.
Secure Together, By Design
Secure by Design principles within Azure are shaped by architecture, not by individual features or tools. It depends on how identity is enforced, how trust boundaries are defined, and how systems operate when normal assumptions are no longer valid. When these elements are loosely coupled or bypass one another, recovery becomes fragile or impossible. The ability to withstand disruptions is key to survival.
The Microsoft and Rubrik partnership is built around a clear division of responsibility. Azure establishes the foundational security and governance boundaries, while Rubrik ensures operation within these boundaries, integrating data protection workflows without introducing elevated trust paths.
Across identity, data processing, compute and storage, the design choices made early on by both Rubrik and Microsoft reflect a consistent architectural principle: we must treat all applications within our environment with the same care as production. Backup and recovery should reduce risk, not create new privileged attack surfaces.
The best part? This alignment is built into both Microsoft and Rubrik, and when applied, provides a powerful framework where cyber resilience is an architectural outcome of the platforms themselves. This ensures that your organization, even when under duress, has the ability to bounce back and truly be secure by design.
Want to explore secure-by-design principles in more depth? Watch this fireside chat with Anneka Gupta, Chief Product Officer at Rubrik, and Jen Easterly, former US Director of the Cybersecurity and Infrastructure Security Agency, as they discuss securing the cloud in the era of AI and why architectural decisions matter. If you want to see the Rubrik Azure Protection in action, explore this Azure Protection Demo