Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
You need a well-designed security strategy for a successful cloud adoption. If your organization uses traditional on-premises environments, you should evaluate your cloud expertise and specifically focus on cloud security. To manage security in the cloud, you might need to significantly change your security team structure and overall security approach.
Potential changes to your organization might introduce stress and conflict. For a successful cloud adoption, ensure that your management teams provide support and clearly present changes to other teams.
Address common challenges
Evolve your mindset. On-premises security is typically a narrowly focused practice that a small team of engineers and operations administrators might handle. Cloud security requires participation from across the organization, and the scope of security teams expands significantly. An on-premises environment's attack surface is primarily at the perimeter. In a cloud environment, every resource is a potential attack vector, so security teams need to adapt their approach accordingly.
Adjust teams and roles. Cloud security, especially for large organizations, involves specialized roles. To avoid gaps in your security management, you might need to add new teams or reorganize existing teams.
Recommendations:
Introduce security conversations early. Start security conversations with the right stakeholders early in your cloud adoption process. This approach helps you align your organization early on.
Understand modern security teams, roles, and functions. Review the Cloud Adoption Framework guidance about security teams, roles, and functions. This guidance describes how to implement end-to-end security.
Embrace the Cloud Adoption Framework Secure methodology. Use the Cloud Adoption Framework Secure methodology to apply Microsoft security best practices at each stage of your cloud adoption journey. The guidance for each phase includes several security approaches, including security posture modernization, incident preparation and response, security sustainment, and the Confidentiality, Integrity, and Availability (CIA) Triad.
Understand the Microsoft Secure Future Initiative
As a worldwide cloud provider, Microsoft prioritizes security above all other concerns and recognizes the critical need to prevent security breaches. The Microsoft Secure Future Initiative addresses these concerns and provides guidance on building and maintaining Microsoft products.
The extent to which you prioritize security over other concerns, like reliability, performance, and costs, depends on many factors. You define these factors when you create your overall adoption strategy. Regardless of your priorities, understand the Microsoft Secure Future Initiative pillars to focus on key security areas you want to strengthen in your cloud estate.
Adopt a Zero Trust strategy
The Zero Trust principles create the foundation of the Microsoft security strategy. Zero Trust is a cloud-ready security strategy that consists of three main principles:
Verify explicitly: Always authenticate and authorize based on all available data points.
Use least privilege: Limit user access with just-in-time and just-enough access, risk-based adaptive policies, and data protection.
Assume breach: Minimize the blast radius and segment access. Verify end-to-end encryption, and use analytics to get visibility, drive threat detection, and improve defenses.
The Zero Trust principles guide your decisions when you design, implement, and operate a cloud estate. They provide a clear reference point to check against, which helps ensure that your choices don't compromise security.
Use the Microsoft Zero Trust guidance to streamline the integration of a Zero Trust approach into your security strategy. The Zero Trust guidance:
Provides a tightly focused and structured adoption framework that aligns with the adoption journey phases of the Cloud Adoption Framework for Azure. Use this guidance to align your overall cloud adoption with the Zero Trust approach.
Explains how Azure, Microsoft 365, and AI services can help you align your cloud estate to the Zero Trust principles.
Provides guidance about aligning your development practices to the Zero Trust principles.
Recommendations:
- Adopt Zero Trust. Use the Microsoft Zero Trust guidance to implement Zero Trust principles, which drive a security-first mindset.
Use the CISO and MCRA workshops
Microsoft offers workshops to help decision makers and architects apply best practices to their cloud adoption. The Chief Information Security Officer (CISO) workshop focuses on thoroughly modernizing cybersecurity practices from the perspective of the CISO and other senior leadership roles.
The Microsoft Cybersecurity Reference Architecture (MCRA) workshop focuses on applying architectural best practices to your cloud environment designs. The Zero Trust principles create the foundation for the guidance in the CISO and MCRA workshops. The workshops also align to Microsoft best practices across the Cloud Adoption Framework, Azure Well-Architected Framework, and Zero Trust security recommendations.
Recommendations:
- Consult with team leaders about the CISO and MCRA workshops. Consider investing in one or more Microsoft-led workshops. Take advantage of the CISO and MCRA workshops in particular. For Microsoft-led workshop material, see Security adoption resources.