Microsoft Cybersecurity Reference Architectures (MCRA)

aka.ms/MCRA
Zero Trust and Related Topics
aka.ms/MCRA
Security Guidance May 2021 - https://aka.ms/MCRA

CEO
Securing Digital
Transformation

Business Leadership Business and Security

Integration
CIO CISO Cloud Adoption Framework (CAF)
Security Strategy,
Technical Leadership
Programs, and Epics

Architecture and Microsoft Cybersecurity

Policy Reference Architectures (MCRA) Initiative Planning/Execution
Architects & Technical Managers Azure Security Zero Trust
Microsoft Security Privileged Azure
Technical Planning Documentation Benchmark Ransomware Access Top 10

Product Docs Well Architected Framework

Implementation Azure | Microsoft 365 (For Azure Workload Owners)
Implementation
Key Industry References and Resources

Zero Trust Core Principles - https://publications.opengroup.org/security-library/w210

https://www.nist.gov/cyberframework

Zero Trust Architecture - https://www.nist.gov/publications/zero-trust-architecture

https://www.cisecurity.org/cis-benchmarks/
Managing Information\Cyber Risk May 2021 - https://aka.ms/SecurityRoles
Security responsibilities or “jobs to be done”

Information Risk Management Program Management Office (PMO)

Supply Chain Risk (People, Process, Technology)
Incident
Posture Management Preparation

Incident
Response
Incident
Management

Threat
Hunting
 Azure Sentinel – Cloud Native SIEM, SOAR, and UEBA for IT, OT, and IoT
https://aka.ms/MCRA
Azure Endpoint Office 365 Identity SaaS
& 3rd party & Server/VM Email and Apps Cloud & Microsoft Cloud Other Tools,
clouds On-Premises App Security Logs, and
Data
Sources
Security Documentation
Microsoft Best Practices
Top 10
Benchmarks CAF WAF

Azure Active Directory

Azure Security Center – Cross-Platform Cloud Security Posture Management (CSPM)

Discover
Monitor Classify
Protect

Azure AD App Proxy

Beyond User VPN Azure Key Vault S3

B2B B2C

Azure Backup
Security & Other Services

GitHub Advanced Security – Secure development and software supply chain

 Azure Sentinel – Cloud Native SIEM, SOAR, and UEBA for IT, OT, and IoT
https://aka.ms/MCRA
Azure Endpoint Office 365 Identity SaaS
& 3rd party & Server/VM Email and Apps Cloud & Microsoft Cloud Other Tools,
clouds On-Premises App Security Logs, and
Data
Sources
Security Documentation
Microsoft Best Practices
Top 10
Benchmarks CAF WAF

Azure Active Directory

Azure Security Center – Cross-Platform Cloud Security Posture Management (CSPM)

Discover
Monitor Classify
Protect

Azure AD App Proxy

Beyond User VPN Azure Key Vault S3

B2B B2C

Azure Backup
Security & Other Services

GitHub Advanced Security – Secure development and software supply chain

 https://aka.ms/MCRA

S3
 https://aka.ms/MCRA

S3

On-Premises IaaS PaaS

Key cross-platform and multi-cloud guidance
Multi-cloud & hybrid protection in Azure Security Center

New! New! New!

Azure Arc
 Cloud App Security (CASB)
Identity &
Brute force Conditional access for
an account cloud apps
User receives Opens an Azure AD
an email attachment Identity protection &

+
Conditional access

Command and
Exploitation Installation Control channel Lateral Domain
Clicks on a URL Reconnaissance Movement Dominance
!

Defender for Office 365 Microsoft Defender for Endpoints

Defender for Identity
(Office 365 ATP) (Defender ATP) (Azure ATP)
Email protection Endpoint protection Identity protection

User browses Endpoint DLP / Azure Azure Defender

to a website Information Protection (Azure Security Center)
Data Protection &
C:\ Classification Infrastructure Protection
User runs a
program
 Defend across attack chains
https://aka.ms/MCRA

Defender for Defender for Azure AD Microsoft Cloud

Office 365 Endpoint Identity Protection App Security
Phishing Open Exfiltration
Brute force account or use Attacker accesses
mail attachment of data
stolen account credentials sensitive data

Exploitation Command Attacker collects Domain

Click a URL and Installation and Control
Defender for reconnaissance & compromised
User account is
Identity compromised configuration data

Browse
a website
Azure Defender Attacker attempts
lateral movement
Privileged account
compromised

Leading Insider risk

History of violations indicators management
Data
Distracted and careless
leakage

Disgruntled or disenchanted
Potential
Subject to stressors Insider has access Anomalous
sabotage
to sensitive data activity detected
 Defend across attack chains
https://aka.ms/MCRA

Defender for Defender for Azure AD Microsoft Cloud

Office 365 Endpoint Identity Protection App Security
Phishing Open Exfiltration
Brute force account or use Attacker accesses
mail attachment of data
stolen account credentials sensitive data

Exploitation Command Attacker collects Domain

Click a URL and Installation and Control
Defender for reconnaissance & compromised
User account is
Identity compromised configuration data

Browse
a website
Azure Defender Attacker attempts
lateral movement
Privileged account
compromised

Leading Insider risk

History of violations indicators management
Data
Distracted and careless
leakage

Disgruntled or disenchanted
Potential
Subject to stressors Insider has access Anomalous
sabotage
to sensitive data activity detected
Operational Technology (OT) Security Reference Architecture https://aka.ms/MCRA

Apply zero trust principles to securing OT and industrial IoT environments

Business Analytics Security Analytics

Azure Analytics
Cloud • Native plug-in for Azure Defender for IoT
Blended cybersecurity attacks are 3rd party 3rd party
driving convergence of IT, OT, and IoT Analytics IoT Hub, PowerBI, Azure Edge,
Digital Twins, and more
Environments Analytics Azure Sentinel
• Native OT investigation & remediation playbooks
• Correlation with other data sources and
Strategic Threat intelligence (attack groups & context)
security architectures and capabilities

IIoT / OT Digital Transformation drivers Operational Technology Information Technology

• Business Efficiency - Data to enable business agility
• Governance & Regulatory Compliance with safety and other (OT) Environments (IT) Environments
TLS with mutual
standards Safety/Integrity/Availability Confidentiality/Integrity/Availability authentication
• Emerging Security Standards like CMMC • Hardware Age: 50-100 years (mechanical + electronic overlay) • Hardware Age: 5-10 years
• Warranty length: up to 30-50 years • Warranty length 3-5 years
• Protocols: Industry Specific (often bridged to IP networks) • Protocols: Native IP, HTTP(S), Others
• Security Hygiene: Isolation, threat monitoring, managing vendor • Security Hygiene: Multi-factor authentication (MFA), patching, threat monitoring, antimalware
Purdue Model access risk, (patching rarely)

Level 3 – Site Operations Business Analytic Sensor(s)

Control & monitoring for physical site
with multiple functions (e.g. plant)
Business Analytics
NETWORK
Level 2 – Supervisory Control TAP/SPAN Sensor(s) + Analytics Cloud Connection (OPTIONAL)
Monitoring & Control for discrete
business functions (e.g. production line)
Plant security console Azure Defender for IoT
(optional) ▪ Manager 3rd party SIEM
▪ Security Console
Level 1 – Basic Control
Electronics controlling or monitoring
physical systems Isolation and Segmentation Transform with Zero Trust Principles
Purdue model assumed static site/enterprise model
Internal Hard Boundary Soft(ware) Boundary • Datacenter Segments – Align network/identity/other
Level 0 – Process segmentation
Physical machinery Physically disconnect People, Process, and Tech (network controls to business workloads and business risk
As business from IT network(s) + identity access control, boundary • End user access - Dynamically grant access based on explicit
processes allow patching and security hygiene) validation of current user and device risk level
S A F E T Y S Y S T E M S

©Microsoft Corporation
Azure
Zero Trust Principles - Assume breach, verify explicitly, Use least privilege access (identity and network)
Why are we having a Zero Trust conversation?

3. Assets increasingly leave the network

• BYOD, WFH, Mobile, and SaaS

4. Attackers shift to identity attacks

• Phishing and credential theft
• Security teams often overwhelmed
Zero Trust
Microsoft Zero Trust Principles
Verify explicitly
Always validate all available data
points including
• User identity and location
• Device health
• Service or workload context
• Data classification
• Anomalies
To help secure both data and
productivity, limit user access using
• Just-in-time (JIT)
• Just-enough-access (JEA)
• Risk-based adaptive polices
• Data protection against out of
band vectors
Minimize blast radius for breaches
and prevent lateral movement by
• Segmenting access by network,
user, devices, and app awareness.
• Encrypting all sessions end to
end.
• Use analytics for threat detection,
posture visibility and improving
defenses
 User
Groups/Role
Microsoft
Location Azure AD
Privileges
Session risk Microsoft
User Risk 365 Defender Microsoft
Information
Security & Protection

Compliance
Device Policy Engine
Microsoft
Managed or BYOD Defender for
Endpoint Microsoft
Health & compliance Cloud App
Device risk Microsoft Security
Endpoint
Type and OS version Manager
Encryption status

aka.ms/zerotrust Azure Sentinel

Zero Trust User Access https://aka.ms/MCRA

Security & Conditional Access App Control

Compliance
Policy Engine
 Zero Trust Resources
aka.ms/zerotrust

• Zero Trust: Security Through a Clearer Lens session (Recording | Slides)

• CISO Workshop Slides/Videos
• Microsoft’s IT Learnings from (ongoing) Zero Trust journey
 • Normalization of remote work
• Rapidly evolving partnerships and competitors
• Rapidly changing communication patterns
• Evolving national interests and regulations

• Automated Policy Enforcement - to address

changing processes and models in an agile manner
at minimum cost
• Adaptive identity management - to respond to
rapidly changing roles, responsibilities and
relationships
• Data-centric and asset-centric approaches – to
APIs
o Better focus security resources by limiting the
scope of what to protect (via trusted zones,
tokenization, or similar approaches)
o Better monitor assets and respond to threats
regardless of network location.
Zero Trust Components
Enable flexible business workflows for the digitized world

Digital Ecosystems

Data/Information

APIs
Apps & Systems

Secured Zones
 Zero Trust Core Principles
Business Strategy and Organizational Culture – Shapes Zero Trust Strategy and Priorities

Organizational Value and Risk

1. Modern work enablement

Guardrails and Governance

2. Goal alignment 3. Risk alignment
4. People Guidance and Inspiration

Technology
5. Risk & Complexity Reduction
8. Asset-centric security 9. Least privilege

Security Controls 6. Alignment & Automation

10. Simple and Pervasive

7. Security for the Full Lifecycle
11. Explicit trust validation
 Zero Trust
Core Principles

ORGANIZATIONAL VALUE AND RISK

1. Modern Work Enablement – Users in organizational ecosystems must be able to work on any 1. The scope and level of protection should be specific and
network in any location with the same security assurances. appropriate to the asset at risk.

2. Goal Alignment – Security must align with and enable organization goals within the risk 2. Security mechanisms must be pervasive, simple, scalable,
tolerance and threshold. and easy to manage.

3. Risk Alignment – Security risk must be managed and measured using a consistent risk
framework and considering organizational risk tolerance and thresholds. 3. Assume context at your peril.

GOVERNANCE 4. Devices and applications must communicate using open,

secure protocols.
4. People Guidance and Inspiration – Organizational governance frameworks must guide people,
process, and technology decisions with clear ownership of decisions, policy and aspirational visions. 5. All devices must be capable of maintaining their security
policy on an un-trusted network.
5. Risk and Complexity Reduction – Governance must reduce both complexity and threat surface
area.
6. All people, processes, and technology must have declared &
6. Alignment and Automation – Policies and security success metrics must map directly to transparent levels of trust for any transaction to take place.
organizational mission and risk requirements and should favor automated execution and reporting.
7. Mutual trust assurance levels must be determinable.
7. Security for the Full Lifecycle – Risk analysis and confidentiality, integrity, and availability
assurances must be sustained for the lifetime of the data, transaction, or relationship.
8. Authentication, authorization, and accountability must
interoperate/exchange outside of your locus/area of control.
TECHNOLOGY AND SECURITY CONTROLS
Asset-Centric Security – Security must be as close to the assets as possible (i.e., data-centric and application-centric 9. Access to data should be controlled by security attributes of
approaches instead of network-centric strategies) to provide a tailored approach the minimizes productivity disruption. the data itself.

Least Privilege – Access to systems and data must be granted only as required and removed when no 10. Data privacy (and security of any asset of sufficiently high
longer required. value) requires a segregation of duties/privileges.

10. Simple and Pervasive Security – Security mechanisms must be simple, scalable, and easy to implement and 11. By default, data must be appropriately secured when
manage throughout the organizational ecosystem (whether internal or external). stored, in transit, and in use.
11. Explicit Trust Validation – Assumptions of integrity and trust level must be explicitly validated against
organization risk threshold and tolerance.
 https://aka.ms/MCRA

Align to Mission + Continuously Improve

Responsiveness - Mean Time to Acknowledge (MTTA)
Effectiveness- Mean Time to Remediate (MTTR)

Analysts
and Hunters

Provide actionable security

alerts, raw logs, or both
Partner Teams
IT Operations,
DevOps, & Insider
Threat, and more
Integrating Silos is Challenging

MAPPING CHALLENGES
https://aka.ms/MCRA
How do signals and AI help protect you?
Microsoft Threat Intelligence
Built on diverse signal sources and AI
Microsoft Trust Center
 https://aka.ms/MCRA

• Automated User Provisioning • Privileged Identity Management (PIM)

• Entitlement Management • Terms of Use
• Access Reviews

Microsoft Defender for Endpoint Azure AD Identity Protection Microsoft Defender for Identity

Azure Defender - Detections across assets and tenants

 Business Critical Assets

Devices/Workstations Account Interface

Intermediaries

Intermediaries

Devices/Workstations Account Interface

Potential Attack Surface

 Asset Protection also required
Security updates, DevSecOps,
data at rest / in transit, etc.

Business Critical Assets

Devices/Workstations Account Interface

Intermediaries

Intermediaries

Devices/Workstations Account Interface

Attacker’s cost Levels of security
Business Critical Assets

Typical path of user access

Devices/Workstations Account Interface

Intermediaries

https://aka.ms/deploySPA
Machine Learning
(ML) Applications API

Data & Websites

aka.ms/humanoperated