Secure overview

The Cloud Adoption Framework for Azure Secure methodology provides a structured approach for securing your Azure cloud estate.

The guidance in this series of articles provides recommendations relevant to all methodologies within the Cloud Adoption Framework because security should be an integral part of every phase of your cloud adoption journey. Therefore, you can find articles aligned with each methodology that provide security recommendations for you to consider as you progress through each phase of your cloud adoption journey.

Diagram showing the methodologies involved in cloud adoption. The diagram has boxes for each phase: teams and roles, strategy, plan, ready, adopt, govern, and manage.

All of the recommendations in this guidance adhere to the Zero Trust principles of assume compromise (or assume breach), least privilege, and explicit verification of trust that should guide your security strategy, architecture, and implementation.

Holistic security guidance

Security is a complex and challenging discipline that you need to consider in nearly all aspects of your cloud and technology environments. Consider the following key points:

  • Anything is a potential target or attack vector: In today's world, attackers can exploit any weaknesses in an organization's people, processes, and technologies to accomplish their malicious goals.

  • Security is a team sport: To defend against these attacks, a coordinated approach is required across business, technology, and security teams. Each team must contribute to security efforts and collaborate effectively. For information about the various roles required to secure Azure resources, see Teams and roles.

This Cloud Adoption Framework Secure guidance is one component of a larger holistic set of Microsoft security guidance designed to help various teams understand and perform their security responsibilities. The complete set includes the following guidance:

  • The Cloud Adoption Framework Secure methodology provides security guidance for teams that manage the technology infrastructure that supports all the workload development and operations hosted on Azure.

  • Azure Well-Architected Framework security guidance provides guidance for individual workload owners about how to apply security best practices to application development and DevOps and DevSecOps processes. Microsoft provides guidance that complements this documentation about how to apply security practices and DevSecOps controls in a security development lifecycle.

  • Microsoft Cloud Security Benchmark provides best practice guidance for stakeholders to ensure robust cloud security. This guidance includes security baselines that describe the available security features and recommended optimal configurations for Azure services.

  • Zero Trust guidance provides guidance for security teams to implement technical capabilities to support a Zero Trust modernization initiative.

Each article covers several topics related to its aligned methodology:

  • Security posture modernization
  • Incident preparation and response
  • The Confidentiality, Integrity, and Availability (CIA) Triad
  • Security posture sustainment

Security posture modernization

Throughout your cloud adoption journey, look for opportunities to enhance your overall security posture through modernization. The guidance in this methodology is aligned with the Microsoft Zero Trust adoption framework. This framework provides a detailed, step-by-step approach to modernizing your security posture. As you review the recommendations for each phase of the Cloud Adoption Framework methodology, enhance them by using the guidance provided in the Zero Trust adoption framework.

Incident preparation and response

Incident preparation and response are cornerstone elements of your overall security posture. Your ability to prepare for and respond to incidents can significantly affect your success in operating within the cloud. Well-designed preparation mechanisms and operational practices enable quicker threat detection and help minimize the blast radius of incidents. This approach facilitates faster recovery. Similarly, well-structured response mechanisms and operational practices ensure efficient navigation through recovery activities and provide clear opportunities for continuous improvement throughout the process. By focusing on these elements, you can enhance your overall security strategy, which ensures resilience and operational continuity in the cloud.

The CIA Triad

The CIA Triad is a fundamental model in information security that represents three core principles. These principles are confidentiality, integrity, and availability.

  • Confidentiality ensures that only authorized individuals can access sensitive information. This policy includes measures like encryption and access controls to protect data from unauthorized access.

  • Integrity maintains the accuracy and completeness of data. This principle means protecting data from alterations or tampering by unauthorized users, which ensures that the information remains reliable.

  • Availability ensures that information and resources are accessible to authorized users when needed. This task includes maintaining systems and networks to prevent downtime and ensure continuous access to data.

Adopt the CIA Triad to ensure that your business technology remains reliable and secure. Use it to enforce reliability and security in your operations through well-defined, strictly followed, and proven practices. Some ways that the triad principles can help ensure security and reliability are:

  • Data protection: Protect sensitive data from breaches by taking advantage of the CIA Triad, which ensures privacy and compliance with regulations.

  • Business continuity: Ensure data integrity and availability to maintain business operations and avoid downtime.

  • Customer trust: Implement the CIA Triad to build trust with customers and stakeholders by demonstrating a commitment to data security.

Each methodology-aligned article provides recommendations for the principles of the CIA Triad. This approach ensures that you can address confidentiality, integrity, and availability. This guidance helps you thoroughly consider these aspects in every phase of your cloud adoption journey.

Security posture sustainment

Continuous improvement is crucial for maintaining a robust security posture in the cloud because cyber threats continuously evolve and become more sophisticated. To protect against these ever-changing risks, ensure ongoing enhancements. The guidance in these sections can help you set up your organization for long-term success by identifying opportunities for continuous improvement. Focus on these strategies as you establish and evolve your cloud environment over time.

Cloud security checklist

Use the cloud security checklist to see all tasks for each cloud security step. Quickly navigate to the guidance that you need.

  Cloud security step Cloud security tasks
Understand security teams and roles. Understand the role of the cloud service provider.
Understand the roles of Infrastructure and Platform teams.
Understand the roles of Security architecture, engineering, posture management teams.
Understand the roles of the Security Operations (SecOps and SOC) teams.
Understand the roles of Security Governance, Risk, and Compliance (GRC) teams.
Learn about security education and policy.
Integrate security into your cloud adoption strategy. Security posture modernization strategy.
Incident preparedness and response strategy.
Confidentiality strategy.
Integrity strategy.
Availability strategy.
Security posture sustainment strategy
Plan for a secure cloud adoption. Plan for landing zone adoption.
Security posture modernization planning.
Incident preparedness and response planning.
Confidentiality planning.
Integrity planning
Availability planning
Security posture sustainment planning
Ready your secure cloud estate. Ready for security posture modernization.
Ready for incident preparedness and response.
Ready for confidentiality.
Ready for integrity.
Ready for availability
Ready for security posture sustainment
Perform your cloud adoption securely. Security posture modernization adoption.
Adopt incident preparedness and response.
Adopt confidentiality.
Adopt integrity.
Adopt availability.
Adopt security posture sustainment
Securely govern your cloud estate. Security posture modernization.
Incident preparedness and response governance
Confidentiality governance.
Integrity governance.
Availability governance.
Sustaining security governance
Securely manage your cloud estate. Security posture modernization.
Managing incident preparedness and response
Managing confidentiality.
Managing integrity.
Managing availability.
Managing security sustainment

Next step