Playbook

Beginning a Zero Trust transformation from a traditional perimeter model.

→Prioritize the principle of "Verify explicitly". Authenticate and authorize every access request based on all available data points (identity, device, location, service, data, anomalies).

Why: Explicit verification is the foundational pillar of Zero Trust. All other controls (least privilege, assume breach) build upon this core principle of never trusting and always verifying.

Reference↗

Designing a comprehensive defense against the full ransomware attack chain.

→Combine Privileged Access Workstations (PAWs) to prevent credential theft and lateral movement, with an immutable backup architecture (Azure Backup immutable vaults, MUA) for resilient recovery.

Why: This addresses both prevention (PAWs disrupt the attack) and recovery (immutable backups ensure business continuity if prevention fails), providing true resilience.

Integrating threat modeling into an agile development lifecycle with short sprints.

→Implement incremental threat modeling using STRIDE methodology. Integrate it into sprint planning, updating the model as architecture evolves, and using it as a gate for security reviews.

Why: Threat modeling must be continuous, not a one-time event, to be effective in agile environments. Incremental updates keep security aligned with development velocity.

Implementing Zero Trust with a phased approach for quick wins.

→Follow the Zero Trust Rapid Modernization Plan (RaMP) prioritization: 1. Identity & Access Management, 2. Endpoints & Devices, 3. Applications, 4. Network & Infrastructure.

Why: Securing identity provides the most significant immediate risk reduction and forms the control plane for all other Zero Trust pillars.

Prioritizing vulnerability remediation based on business impact, not just CVSS scores.

→Use Microsoft Security Exposure Management to perform attack path analysis against identified critical assets. Prioritize remediation of vulnerabilities that provide viable attack paths to high-value targets.

Why: Attack path analysis contextualizes vulnerabilities with business risk, ensuring remediation efforts are focused on threats that pose the greatest danger to the organization.

Enforcing a consistent security baseline across a large enterprise with many Azure subscriptions.

→Implement Azure Policy initiatives aligned with MCSB at the root management group. Use Microsoft Defender for Cloud for continuous compliance monitoring across all inherited subscriptions.

Why: Management group-level policy assignment provides scalable, inherited guardrails for all current and future subscriptions, ensuring a consistent security baseline by default.

Designing a Security Operations Center (SOC) for a global company with regional data residency requirements.

→Deploy a multi-workspace Microsoft Sentinel architecture. Keep data in regional Log Analytics workspaces to meet residency needs. Use Azure Lighthouse for centralized management and cross-workspace queries for unified threat hunting.

Why: This model balances centralized security operations and global visibility with local data residency compliance, avoiding data transfer violations.

Reference↗

Optimizing SOC operations using both Microsoft Defender XDR and Microsoft Sentinel.

→Enable the Microsoft Defender XDR connector in Sentinel for bi-directional incident sync. Use Defender XDR for deep, automated investigation of M365/endpoint incidents. Use Sentinel for cross-domain correlation with third-party sources and advanced hunting.

Why: This "better together" approach leverages the strengths of both platforms: XDR for integrated, automated response within the Microsoft ecosystem and SIEM for broad, cross-platform visibility and correlation.

Implementing incident response automation without introducing excessive risk from false positives.

→Design a tiered automation strategy in Sentinel. Fully automate low-risk actions (enrichment, notifications). Use human-in-the-loop approval workflows for medium-risk actions (blocking IPs). Reserve high-impact actions (disabling accounts) for manual execution.

Why: Tiered automation balances speed of response with appropriate oversight, maximizing SOC efficiency for common tasks while preventing automated actions from causing major operational disruption.

Establishing a unified security monitoring plane across on-premises, Azure, AWS, and GCP.

→Use Microsoft Sentinel as the central SIEM. Onboard on-prem/multicloud servers via Azure Arc. Use native Sentinel data connectors for AWS and GCP services. Enable Microsoft Defender for Cloud across all environments.

Why: Azure Arc extends the Azure control plane to any infrastructure, providing a single pane of glass for security management (Defender for Cloud) and monitoring (Sentinel) across hybrid and multicloud estates.

Ensuring long-term, tamper-proof retention of administrative audit logs for compliance.

→Configure diagnostic settings to export Azure Activity Logs to a dedicated Log Analytics workspace and an immutable Azure Storage account. Place these resources in a separate, locked-down security/management subscription.

Why: Immutable storage (WORM) prevents log tampering. A separate management subscription isolates logs from workload administrators, preventing a compromised admin from covering their tracks.

Prioritizing security control investments based on likely attack patterns.

→Map existing security controls to the MITRE ATT&CK framework. Analyze threat intelligence relevant to the industry to identify common TTPs used by likely adversaries. Prioritize closing detection/prevention gaps for those specific TTPs.

Why: This threat-informed approach ensures that security investments are directly addressing the most probable and impactful attack vectors, maximizing risk reduction.

Managing excessive permissions (permission sprawl) for identities across Azure, AWS, and GCP.

→Deploy Microsoft Entra Permissions Management (CIEM). Use it for continuous discovery of permissions, risk assessment (Permission Creep Index), and generating recommendations for right-sizing permissions to enforce least privilege.

Why: CIEM is a specialized solution to address the complexity of multicloud permissions, providing visibility and automated analysis that is not feasible with native cloud IAM tools alone.

Designing a program to detect data exfiltration or sabotage by internal employees.

→Implement Microsoft Purview Insider Risk Management. Integrate with HR systems to trigger policies based on employment events (e.g., resignation). Configure policies based on risk indicators and use pseudonymization to protect privacy during initial analysis.

Why: Effective insider risk management requires correlating technical signals (e.g., mass download) with HR context (e.g., employee termination date), which Purview is designed to do while respecting privacy.

Designing network security for a standard hub-and-spoke Azure topology.

→Deploy Azure Firewall Premium in the hub VNet for centralized traffic inspection (including IDPS and TLS inspection). Use User-Defined Routes (UDRs) to force-tunnel traffic from spokes. Use NSGs for microsegmentation within spokes. Enable Azure DDoS Protection on the hub.

Why: This layered architecture provides defense-in-depth: centralized threat protection in the hub, microsegmentation in the spokes, and volumetric attack protection at the edge.

Reference↗

Architecting to prevent an attacker from moving from a compromised workstation to critical servers (Tier 0).

→Implement the tiered administration model. Use separate, dedicated accounts and Privileged Access Workstations (PAWs) for different tiers of administration (Tier 0, 1, 2). Enforce that Tier 0 credentials are never used on lower-tier systems.

Why: This creates credential isolation boundaries, making it impossible for credential theft on a lower-tier asset (like a user workstation) to lead to the compromise of a higher-tier asset (like a domain controller).

Securing an Operational Technology (OT) environment with legacy devices that cannot run security agents.

→Deploy Microsoft Defender for IoT using passive, agentless network sensors. Implement network segmentation based on the Purdue model to create a DMZ between IT and OT. Integrate Defender for IoT alerts into Microsoft Sentinel.

Why: Passive network monitoring provides visibility into OT-specific protocols and threats without impacting sensitive, legacy industrial systems. Segmentation contains threats and controls IT/OT data flows.

Designing defense-in-depth security for Azure Kubernetes Service (AKS) workloads.

→Combine Microsoft Defender for Containers (registry scanning, runtime threat detection) with Azure Policy for AKS (admission control to enforce security standards like no privileged containers) and network policies (for pod-to-pod microsegmentation).

Why: Container security requires a multi-layered approach: "shift-left" in the registry, preventive guardrails at deployment (admission control), network isolation at runtime, and runtime threat detection.

Reference↗

Designing highly secure and performant connectivity between on-premises datacenters and Azure.

→Use ExpressRoute with private peering as the primary connection, with a site-to-site VPN as a failover backup. Enable MACsec or IPsec encryption over ExpressRoute. Use Private Endpoints for accessing Azure PaaS services.

Why: ExpressRoute provides a private, dedicated connection, bypassing the public internet. Private Endpoints ensure PaaS traffic also stays off the internet. Encryption over ExpressRoute provides defense-in-depth.

Designing maximum security for an Azure Storage account containing sensitive data.

→Disable public access and anonymous access. Use Private Endpoints for network access. Use managed identities for application authentication. Enforce encryption with customer-managed keys (CMK). Enable Microsoft Defender for Storage for threat detection.

Why: This layered approach addresses all key security vectors: network exposure (Private Endpoints), credential management (managed identities), encryption control (CMK), and runtime threats (Defender for Storage).

Applying consistent security management and governance to on-premises and multicloud servers.

→Onboard the servers to Azure Arc. This extends the Azure control plane, allowing management via Microsoft Defender for Cloud (CSPM/CWP), application of Azure Policy (including guest configuration), and use of services like Update Management.

Why: Azure Arc is the foundational technology for creating a single management and security plane across a hybrid and multicloud server estate.

Reference↗

Securing remote worker access to both internet/SaaS apps and private corporate applications.

→Implement Microsoft's Global Secure Access. Use Microsoft Entra Internet Access as a Secure Web Gateway (SWG) for SaaS/internet traffic. Use Microsoft Entra Private Access as a Zero Trust Network Access (ZTNA) solution to replace traditional VPNs.

Why: This provides a unified, identity-centric SSE solution that applies consistent security policies regardless of user location or resource type, aligning with modern Zero Trust principles.

Designing comprehensive protection for Azure virtual machines.

→Enable Microsoft Defender for Servers Plan 2, which includes Defender for Endpoint (EDR). Use Just-in-Time (JIT) VM access to close management ports by default. Use Azure Bastion for secure, broker-based administrative access without public IPs.

Why: This provides layered defense: JIT and Bastion reduce the attack surface, while Defender for Servers provides advanced threat detection and response (EDR) for the workload itself.

Protecting highly sensitive data while it is being processed (data-in-use) from privileged access, including cloud administrators.

→Use Azure Confidential Computing VMs (e.g., based on AMD SEV-SNP) or confidential containers on AKS. This creates a hardware-based Trusted Execution Environment (TEE) where data and code are encrypted and isolated during execution.

Why: Confidential computing addresses the final data state (in-use) not covered by encryption at-rest or in-transit, providing protection even from the hypervisor and host OS.

Hardening a complex on-premises Active Directory environment against targeted attacks.

→Prioritize implementing the tiered administration model to prevent lateral movement. Deploy the Protected Users security group and authentication policy silos to shield privileged accounts from credential theft attacks (e.g., Pass-the-Hash).

Why: These controls address the most common and impactful AD attack vectors: lateral movement and credential theft. They are more critical than general hardening measures like LDAP signing.

Implementing Zero Trust privileged access for administrators of Azure and Microsoft Entra ID.

→Deploy Microsoft Entra Privileged Identity Management (PIM). Convert all standing privileged assignments to "eligible". Configure time-bound activation, approval workflows for critical roles, and mandatory access reviews.

Why: PIM is the core Microsoft service for implementing Just-in-Time (JIT) and least privilege access for Azure/Entra roles, eliminating the significant risk of standing privileged access.

Reference↗

Designing a scalable and manageable Conditional Access policy structure.

→Implement a tiered framework with baseline policies for all users, enhanced policies for sensitive applications, and strict policies for privileged access. Use signals like named locations and device compliance to reduce friction for trusted scenarios.

Why: A single, monolithic policy is unmanageable. A tiered approach matches control strength to risk level, providing robust security where needed without creating undue friction for everyday tasks.

Automating and governing the full identity lifecycle (joiner, mover, leaver).

→Use Microsoft Entra ID Governance. Implement HR-driven provisioning, Entra ID Lifecycle Workflows for automation, Entitlement Management for access packages (bundling permissions for roles), and regular Access Reviews for attestation.

Why: This provides an end-to-end, automated governance solution that ensures access is granted correctly, modified with role changes, and revoked promptly upon termination, addressing the risk of stale accounts and privilege creep.

Managing secure access for different types of external users (partners, customers).

→Use Microsoft Entra B2B collaboration for partners and contractors, governed by cross-tenant access policies. Use Microsoft Entra B2C for customer-facing applications, providing a separate, scalable directory with customizable user journeys.

Why: B2B and B2C are purpose-built for different external identity scenarios. Using the right tool avoids security and scalability issues that arise from treating all external users the same (e.g., creating internal accounts for them).

Protecting sensitive data consistently across Microsoft 365 and Azure.

→Deploy Microsoft Purview Information Protection. Use automated classification (sensitive info types, trainable classifiers) to apply sensitivity labels. Configure labels to enforce protection (encryption, access restrictions) on data wherever it resides.

Why: Data-centric protection follows the data itself. Automated classification at scale is the only feasible way to ensure consistent labeling and protection across a large data estate.

Securing internal and external APIs against common threats.

→Deploy Azure API Management as a unified gateway. Enforce strong authentication with OAuth 2.0. Configure policies for rate limiting and request validation. Enable Microsoft Defender for APIs for runtime threat detection.

Why: API security requires a gateway to act as a policy enforcement point. Combining preventive controls (APIM policies) with detective controls (Defender for APIs) provides defense-in-depth against API-specific attacks.

Integrating security into a CI/CD pipeline to find vulnerabilities early ("shift-left").

→Implement GitHub Advanced Security (or Defender for DevOps). Integrate automated SAST (code scanning), dependency scanning (SCA), and secret scanning directly into the CI pipeline and pull request process. Use security gates to block builds with critical vulnerabilities.

Why: Automated scanning within the developer workflow provides fast feedback, allowing vulnerabilities to be fixed early when it is cheapest to do so, without creating a bottleneck at a pre-production security review.

Designing a secure and manageable solution for application secrets, keys, and certificates.

→Use Azure Key Vault. Isolate vaults per application or security boundary. Use managed identities for Azure resources to access the vault (no stored credentials). Enable soft-delete and purge protection. Monitor with Defender for Key Vault.

Why: Key Vault provides a centralized, hardware-backed, and auditable secret store. Using managed identities is the critical component that eliminates the "secret zero" problem of how to secure the credentials used to access the vault itself.

Implementing layered security for a sensitive Azure SQL database.

→Combine Transparent Data Encryption (TDE) with customer-managed keys (CMK), Always Encrypted for specific sensitive columns, dynamic data masking for non-privileged users, Microsoft Defender for SQL for threat detection, and Azure AD-only authentication.

Why: No single control is sufficient. This layered approach protects data at rest (TDE), in use (Always Encrypted), from unauthorized viewing (masking), from threats (Defender), and ensures strong authentication (Azure AD).

Preventing data loss across email, Teams, SharePoint, and endpoint devices.

→Deploy Microsoft Purview DLP. Create unified policies that apply across M365 services and endpoints. Align DLP rules with sensitivity labels. Use Endpoint DLP to control actions on managed devices (e.g., block copy to USB).

Why: A unified policy engine ensures consistent enforcement across all data channels. Endpoint DLP is critical to extend protection beyond the cloud to the user device itself.

Preparing an organization's data environment for the secure deployment of Copilot for Microsoft 365.

→Prior to deployment, focus on information governance. Use tools like SharePoint Advanced Management to find and remediate overshared sites and files. Ensure a robust data classification and sensitivity labeling strategy is in place and applied.

Why: Copilot respects existing permissions. Its ability to rapidly surface information makes pre-existing oversharing issues a critical risk. "Getting your data house in order" is a prerequisite for secure AI deployment.

Designing comprehensive security for a business-critical web application.

→Use Azure Application Gateway with Web Application Firewall (WAF) in prevention mode. Integrate SAST/DAST scanning into the CI/CD pipeline. Enable Microsoft Defender for App Service for runtime monitoring. Place the App Service on a Private Endpoint.

Why: This provides protection at multiple layers: at the edge (WAF), in the code (SAST/DAST), on the platform (Defender), and on the network (Private Endpoint), addressing a wide range of web application threats.

Designing authentication for microservices in AKS to access each other and Azure PaaS services without stored credentials.

→Implement Azure AD Workload Identity to allow Kubernetes pods to acquire Azure AD tokens. Use a service mesh (e.g., Istio, Linkerd) to enforce mutual TLS (mTLS) for all service-to-service communication within the cluster.

Why: This pattern completely eliminates long-lived secrets (passwords, keys) from the application environment, significantly improving the security posture. Workload Identity handles north-south auth to Azure, while mTLS handles east-west auth within the cluster.

Meeting strict compliance requirements (e.g., FIPS 140-2 Level 3) for storing cryptographic keys.

→Use Azure Key Vault Managed HSM. This provides a dedicated, single-tenant, FIPS 140-2 Level 3 validated HSM that is fully managed by Microsoft but gives the customer complete control over the security domain.

Why: For the highest level of compliance and key control, Managed HSM is required over the standard/premium Key Vault tiers, which use shared, multi-tenant HSMs (FIPS 140-2 Level 2).

Protecting the application development process from threats like compromised dependencies or malicious code injection.

→Design a secure pipeline using private package registries (e.g., Azure Artifacts), dependency scanning (SCA), Software Bill of Materials (SBOM) generation, artifact signing, and provenance verification.

Why: This addresses multiple stages of the supply chain: controlling inputs (private registry), validating components (SCA, SBOM), and ensuring the integrity of outputs (signing, provenance).