Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.
In order to properly understand how to implement this control on Azure, we have to have an understanding of the shared responsibility model that helps to determine roles and responsibilities between cloud-providers and cloud-consumers. Here is a diagram from the shared responsibility for cloud computing whitepaper released by Microsoft.
Patching operating systems is part of the "host infrastructure" row above. As you can see from the diagram, the only operating model we need to specifically address is the IaaS model. This is because in all other cases, the cloud-provider is responsible for the management of the host infrastructure. I'd love to get more into shared responsibility, but that is likely the subject of another blog post.
Because the target architecture is IaaS, in general, all your existing on-premises solutions for operating system patch management could apply. This includes GPO settings with WSUS servers, custom yum repos, enabling/scripting update checks, etc.
In the Azure world, there are two options. Windows VMs can have automatic updates enabled at the run time using the ARM template configuration. For linux VMs, you can make use of the custom script extension to enable automatic updates at deployment time.
In general, connecting your machines directly to automated update mechanisms works only in certain types of scenarios (stand alone machines, dev/test, etc). In most other scenarios, you generally want additional options such as specifying an appropriate time, whitelisting/blacklisting updates, and staging updates across your infrastructure.
For those wanting more control over their updates, Azure has published an update management solution that makes use of the Azure Automation infrastructure to manage your updates. I might cover update management in more detail in a future blog post.
In conclusion, managing operating system updates for Azure IaaS VMs is a very similar process to what you would currently do on-premises today. There are features within the platform that make updates easier to maintain if you do not currently have a solution. For the other deployment models, patching is an issue for the cloud-provider, and not the cloud-consumer.