Design area overview #

Make use of the recommendations, alerting, and remediation capabilities of Microsoft Defender for Cloud. Your security team can also integrate Microsoft Defender for Cloud into Microsoft Sentinel if they need a more robust, centrally managed hybrid and multicloud Security Information Event Management (SIEM)/Security Orchestration and Response (SOAR) solution.

Microsoft cloud security benchmark #

The Microsoft cloud security benchmark includes high-impact security recommendations to help you secure most of the services you use in Azure. You can think of these recommendations as general or organizational, as they’re applicable to most Azure services. The Microsoft cloud security benchmark recommendations are then customized for each Azure service. This customized guidance is contained in service recommendations articles.

The Microsoft cloud security benchmark documentation specifies security controls and service recommendations.

• Security controls: The Microsoft cloud security benchmark recommendations are categorized by security controls. Security controls represent high-level vendor-agnostic security requirements, like network security and data protection. Each security control has a set of security recommendations and instructions that help you implement those recommendations.
• Service recommendations: When available, benchmark recommendations for Azure services will include Microsoft cloud security benchmark recommendations that are tailored specifically for that service.

Access control design considerations #

Modern security boundaries are more complex than boundaries in a traditional datacenter. The four walls of the datacenter no longer contain your assets. Keeping users out of the protected network is no longer sufficient to control access. In the cloud, your perimeter is composed of two parts: network security controls and Zero Trust access controls.

Advanced network security #

• Plan for inbound and outbound internet connectivity
• Plan for landing zone network segmentation
• Define network encryption requirements
• Plan for traffic inspection

Zero Trust #

For Zero Trust access with identities, you should consider:

• Which teams or individuals require access to services within the landing zone? What roles are they doing?
• Who should authorize the access requests?
• Who should receive the notifications when privileged roles are activated?
• Who should have access to the audit history?

Implementing Zero Trust can go beyond just identity and access management. You should consider if your organization needs to implement Zero Trust practices across multiple pillars, such as infrastructure, data, and networking.