January 15, 2025

Uncovering Hidden Tech Debt: Cloud Landing Zone Security Audits

How we conducted comprehensive security audits across multi-tenant Azure landing zones to eliminate legacy tech debt.

“Technical debt in the cloud doesn’t look like dusty servers—it looks like orphaned Public IPs, legacy TLS 1.0 endpoints, and unencrypted storage accounts.”

At Kyndryl, we conducted enterprise cloud audits to uncover hidden security vulnerabilities and technical debt across complex Azure landing zones.


Key Audit Candidates

  • Orphaned Public IPs: Unattached public IP addresses costing monthly fees while providing potential attack surfaces.
  • Deprecated TLS Protocols: Legacy web apps using TLS 1.0/1.1 instead of TLS 1.2+.
  • Over-Privileged Identity Roles: Service Principals with Contributor rights granted across entire subscriptions.
# # Azure CLI Query for Unattached Public IPs
az network public-ip list --query "[?ipConfiguration==null].{ResourceGroup:resourceGroup, Name:name, IPAddress:ipAddress}" --output table

The Verdict

Key Takeaway

Schedule Regular Technical Debt Remediation Cycles.

Do not treat cloud landing zones as static environments. Run automated compliance scans regularly to eliminate orphaned resources and patch security drift.