I am setting up vital infrastructure for a software company in Microsoft Azure. I would like to prevent a worst-case scenario, where someone (I imagine a disgruntled IT employee) can delete these vital resources and essentially wipe out the company. I have searched the web of course, but almost all the information I can find is on how to prevent accidental, as opposed to malicious, deletion.
The resources include SQL databases, web apps, storage accounts and the like.
I imagine that one approach might be to schedule backups and store the backups in a separate Azure subscription, to which very few people have access. The same people would not be given access to the subscription used for daily operations. Even if the subscription used for daily operations was completely wiped out, the backups would still be available and things could be restored within a couple of days (not ideal, but OK in a worst-case scenario). Unfortunately, I am not convinced that this is a sure-fire approach. And how do you even back up a storage account?
I also see that Azure has features like RBAC, Resource Locks, Recovery Vaults, and Azure AD Entitlement. I am not sure if these features could be combined into a sure-fire solution?
If you have any ideas, guidelines, references, or pointers you could share, I would really appreciate your input.
