Microsoft cybersecurity reference architectures (mcra) december 2023

What: Guide organizations through an endtoend security modernization from strategy and program level through architecture and technical planning using Zero Trust principles. Why: Rapidly increase security posture align security to business priorities How: Provide best practises, references and other guidance based on real world lessons learned for + Strategy and Program (CISO Workshop) + Architectures and Technical Plans + Security Capability Adoption Planning Tips: Set a North Star and Keep Going Ajourney of incremental progress towards a clear vision Mix of old new Bring your experience and knowledge, but expect changes

Microsoft Cybersecurity Reference Architectures (MCRA)

End to End Security Architecture following Zero Trust principles

N

Adoption Framework

You are here

Adoption Framework

• Overview of Security Adoption Framework and End to End Cybersecurity Architecture

• Ruthlessly Prioritize: Identify top gaps + quick wins

• Get started: Start somewhere & continuously improve

Applying Zero Trust principles

Top End to End Security Challenges

• Incomplete or network-centric architectures

aren’t agile & can’t keep up with continuous

change (security threats, technology platform,

and business requirements)

• Challenges with

• Creating integrated end to end architecture

• Integrating security technologies

• Planning and prioritizing security

modernization initiatives

MCRA is a subset of the full Security

Architecture Design Session (ADS)

module 1 workshop:

Adoption Framework

Whiteboard – Current Security Architecture

What types of attacks and adversaries are top of mind? What types of attacks and adversaries are top of mind?

CISO Workshop

Security Program and Strategy

End-to-end Security Program Guidance + Integration with Digital & Cloud Transformation Teams

Module 2 – Secure Identities and Access

Module 3 – Modern Security Operations (SecOps/SOC)

Module 4 – Infrastructure & Development Security Module 5 – Data Security & Governance, Risk, Compliance (GRC)

Module 6 – IoT and OT Security

Security Architecture Design Session

Module 1 – Zero Trust Architecture and

Ransomware

Strategic Framework

Infrastructure and Development Data Security & Governance, Risk, Compliance (GRC)

OT and IoT Security

Security Adoption Framework

Align security to business scenarios using initiatives that progressively get closer to full ‘Zero Trust’

Secure Identities and Access

1 Strategic Framework

End to End Strategy, Architecture, and Operating Model

1 - I want people to do their job

securely from anywhere

2 - I want to minimize business

damage from security incidents

3 - I want to identify and protect

critical business assets

4 - I want to proactively meet

regulatory requirements

5 - I want to have confidence in my

security posture and programs

Business Scenarios

Guiding North Star

Modern Security Operations

Architects & Technical Managers

CIO Technical Leadership

Security Adoption Framework

Reduce risk by rapidly modernizing security capabilities and practices

Business and Security Integration

Implementation and Operation Technical Planning

Architecture and Policy

Security Strategy, Programs, and Epics

Securing Digital Transformation

Secure Identities and Access

Modern Security Operations (SecOps/SOC)

Infrastructure &

Development Security

Data Security

& Governance IoT and OT Security

Microsoft Cybersecurity Reference Architectures (MCRA)

Assess current plans, configurations, and operations for Microsoft security capabilities

> > > > > > > > > > > > > >

Engaging Business Leaders on Security

Includes Reference Plans

Architects & Technical Managers

CIO Technical Leadership

CISO

Business Leadership

CEO

Business and Security Integration

Implementation and Operation Technical Planning

Architecture and Policy

Security Strategy, Program, and Epics / Initiatives

Securing Digital Transformation

Security Adoption Framework

Common Security Antipatterns - Technical Architecture

Common mistakes that impede security effectiveness and increase organizational risk

Securing cloud like on premises

Attempting to force on-prem controls and practices directly onto cloud resources

Lack of commitment to lifecycle

Treating security controls and processes as points in time instead of an ongoing lifecycle

Wasting resources on legacy

Legacy system maintenance and costs draining ability to effectively secure business assets

Disconnected security approach

Independent security teams, strategies, tech, and processes for network, identity, devices, etc.

Skipping basic maintenance

Skipping backups, disaster recovery exercises, and software updates/patching on assets

Artisan Security

Focused on custom manual solutions instead of automation and off the shelf tooling

Best Practices

Develop and implement an end to end technical security

strategy focused on durable capabilities and Zero Trust

Principles This workshop helps you define and rapidly improve on best practices across security including:

• Asset-centric security aligned to business priorities &

technical estate (beyond network perimeter)

• Consistent principle-driven approach throughout security

lifecycle

• Pragmatic prioritization based on attacker motivations,

behavior, and return on investment

• Balance investments between innovation and rigorous

application of security maintenance/hygiene

• ‘Configure before customize’ approach that embraces

automation, innovation, and continuous improvement

• Security is a team sport across security, technology, and

business teams

Improving Resiliency

Enable business mission while continuously increasing security assurances

GOVERN

‘Left of Bang’

Rapidly and effectively manage attacks

NIST Cybersecurity Framework v2

The job will never be ‘done’ or ‘perfect’, but it’s

important to keep doing (like cleaning a house)

Zero Trust Architecture

Security Strategy and Program

Security Posture Management

End to End Security

Enable business mission and increasing security assurances with intentional approach

GOVERN

‘Left of Bang’

Rapidly and effectively manage attacks

Infrastructure & Development Security

IoT and OT Security

Modern Security Operations (SecOps/SOC)

Data Security & Governance

Secure Identities and Access

Defenders must focus on

A Strong security controls + effective placement

B Rapid response to attacks

C Continuously testing & monitoring controls

Defenders must focus on

A Strong security controls + effective placement

B Rapid response to attacks

C Continuously testing & monitoring controls

Phishing email to admin

Looks like they have

NGFW, IDS/IPS, and DLP

I bet their admins

1 Check email from

admin workstations

2 Click on links for

higher paying jobs

Replace password.xls ‘process’ with

• PIM/PAM

• Workload identities

Sensitive Data Protection & Monitoring

• Discover business critical assets with business, technology, and security teams

• Increase security protections and monitoring processes

• Encrypt data with Azure Information Protection

Modernize Security Operations

• Add XDR for identity, endpoint (EDR),

cloud apps, and other paths

• Train SecOps analysts on endpoints and

identity authentication flows

Protect Privileged Accounts

Require separate accounts for Admins and enforce MFA/passwordless Privileged Access Workstations (PAWs) + enforce with Conditional Access

Rigorous Security Hygiene

• Rapid Patching

• Secure Configuration

• Secure Operational Practices

Security is complex and challenging

Infrastructure Application

Data

People

Attackers have a lot of options

 Forcing security into a holistic

complex approach

 Regulatory Sprawl - 200+ daily updates from 750 regulatory bodies

 Threats – Continuously changing threat landscape

 Security Tools – dozens or hundreds of tools at customers

Must secure across everything

Nothing gets retired!

Usually for fear of breaking something (& getting blamed)

Hybrid of Everything, Everywhere, All at Once

‘ Data swamp’ accumulates

managed data + unmanaged ‘dark’ data

Security is the opposite of productivity Business Enablement

Align security to the organization’s mission, priorities, risks, and processes

Continuously reduce blast radius and attack surface through prevention and detection/response/recovery

All attacks can be prevented

Shift to Asset-Centric Security Strategy

Revisit how to do access control, security operations, infrastructure and development security, and more

Shift to Asset-Centric Security Strategy

Revisit how to do access control, security operations, infrastructure and development security, and more

Explicitly Validate Account Security

Require MFA and analyze all user sessions with behavior analytics, threat intelligence, and moreExplicitly Validate Account Security

Require MFA and analyze all user sessions with behavior analytics, threat intelligence, and more

Network security perimeter will keep attackers out

Passwords are strong enough

IT Admins are safe

IT Infrastructure is safe

Goal: Zero Assumed Trust

Reduce risk by finding and removing implicit assumptions of trust

Developers always write secure code

The software and components we use are secure

Plan and Execute Privileged Access Strategy

Establish security of accounts, workstations, and other privileged entities ( aka.ms/spa )

Plan and Execute Privileged Access Strategy

Establish security of accounts, workstations, and other privileged entities ( aka.ms/spa )

Validate Infrastructure Integrity

Explicitly validate trust of operating systems, applications, services accounts, and more

Validate Infrastructure Integrity

Explicitly validate trust of operating systems, applications, services accounts, and more

Integrate security into development process

Security education, issue detection and mitigation, response, and more

Integrate security into development process

Security education, issue detection and mitigation, response, and more

Supply chain security

Validate the integrity of software and hardware components from open source vendors, and others

Supply chain security

Validate the integrity of software and hardware components from open source vendors, and others

False Assumptions

Systematically Build & Measure Trust

With 30+ years of backlog at most organizations, it will take a while to burn down the backlog of assumed trust With 30+ years of backlog at most organizations, it will take a while to burn down the backlog of assumed trust

Zero Trust Security Architecture

End to End Prioritized Execution + Continuous Improvement

Prioritize backlog of trust assumptions

Microsoft Security Adoption Framework

Zero Trust Commandments

5HTXLUHP HQWVWKDWUHSUHVHQWEHVWSUDFWLFHVIRUD=HUR7UXVW$UFKLWHFWXUH =7$ DQGWUDQVIRUP DWLRQ7KH2 SHQ* URXS6WDQGDUG

Usage: *HQHUDOSODQQLQJ7HVWLQJZ KHWKHUVRP HWKLQJLV¶=HUR7UXVW·RUQRW

Zero Trust Commandments

5HTXLUHP HQWVWKDWUHSUHVHQWEHVWSUDFWLFHVIRUD=HUR7UXVW$UFKLWHFWXUH =7$ DQGWUDQVIRUP DWLRQ7KH2 SHQ* URXS6WDQGDUG

Usage: *HQHUDOSODQQLQJ7HVWLQJZ KHWKHUVRP HWKLQJLV¶=HUR7UXVW·RUQRW

10 Laws of Cybersecurity Risk

.H\WUXWKVDERXWP DQDJLQJVHFXULW\ULVNWKDWEXVWFRP P RQP \WKV

Usage: (QVXULQJVHFXULW\VWUDWHJ\FRQWUROVDQGULVNDUHP DQDJHGZ LWK

UHDOLVWLFXQGHUVWDQGLQJRIKRZ DWWDFNVKXP DQVDQGWHFKQRORJ\Z RUN

10 Laws of Cybersecurity Risk

.H\WUXWKVDERXWP DQDJLQJVHFXULW\ULVNWKDWEXVWFRP P RQP \WKV

Usage: (QVXULQJVHFXULW\VWUDWHJ\FRQWUROVDQGULVNDUHP DQDJHGZ LWK

UHDOLVWLFXQGHUVWDQGLQJRIKRZ DWWDFNVKXP DQVDQGWHFKQRORJ\Z RUN

Immutable Laws of Security

Zero Trust Commandments

Standardized Rules for Zero Trust security

Practice Deliberate Security

Establishes pragmatic view of ‘trust’ in today’s world of

continuous threats + how to prioritize applying that in a

world of complex and continuously changing requirements

• Validate Trust Explicitly

Develop a Security-Centric Culture

Guides the application of security across all teams

• Utilize Least Privilege

Support Business Objectives

Aligns security explicitly to business priorities and assets (vs networks) and considers long term implications

Deploy Agile and Adaptive Security

Ensures security can keep up with continuous change

Assume Failure Assume

Success

10 Laws of Cybersecurity Risk

Not keeping up is falling

behind

Not keeping up is falling

behind

Productivity always wins

Attackers don't care

Ruthless Prioritization is a

survival skill

Ruthless Prioritization is a

survival skill

Cybersecurity is a team sport

Your network isn’t as trustworthy as you think it is

Your network isn’t as trustworthy as you think it is

Isolated networks aren’t automatically secure

Isolated networks aren’t automatically secure

Encryption alone isn’t a data protection solution

Encryption alone isn’t a data protection solution

Technology doesn't solve people & process problems

Technology doesn't solve people & process problems

aka.ms/SecurityLaws

10 9 8 7 6

5

4

3

2

Security success is ruining the

attacker ROI (return on investment)

Security success is ruining the

attacker ROI (return on investment)

1

Immutable Laws of Security

If a bad actor can alter the operating

system on your computer, it's not your

computer anymore.

If a bad actor can alter the operating

system on your computer, it's not your

computer anymore.

If a bad actor has unrestricted physical

access to your computer, it's not your

computer anymore.

If a bad actor has unrestricted physical

access to your computer, it's not your

computer anymore.

If you allow a bad actor to run active

content in your website, it's not your

website anymore.

If you allow a bad actor to run active

content in your website, it's not your

website anymore.

Weak passwords trump strong security.

A computer is only as secure as the administrator is trustworthy.

A computer is only as secure as the administrator is trustworthy.

Encrypted data is only as secure as its decryption key.

Encrypted data is only as secure as its decryption key.

An out-of-date antimalware scanner is only marginally better than no scanner

Technology isn't a panacea.

If a bad actor can persuade you to run

their program on your computer, it's not

solely your computer anymore.

If a bad actor can persuade you to run

their program on your computer, it's not

solely your computer anymore.

7 8 9 10

6 2

End to End Security Architecture

Diagrams & References

Microsoft Security Capabilities

Zero Trust Adaptive Access

aka.ms/MCRA | aka.ms/MCRA-videos | December 2023

Privileged Access

Device Types Artificial Intelligence

(AI) and Security

Security Strategy and Program Zero Trust Architecture

Security Adoption Framework

Reduce risk by rapidly modernizing security capabilities and practices

Includes Reference Plans

End to End Strategy

and Planning

Zero Trust Architecture

Where do you want to Start?

There’s no wrong place to start 

Security Strategy and Program

Plan and Execute

Initiatives

Secure Identities and Access Modern Security Operations (SecOps/SOC) Infrastructure & Development Security

Let’s get next steps locked in

Capture actions and who follows up on them

Point of Contact Next Step

Full  Workshop

Topic  Summary 

Title and Description Use Case

‐

4 hours

Overview and Scoping (Start here if you don't know where to start)

This short conversation is like a 'trail head’ to help you pick the best path to get started (from the below) with security modernization planning based on your current needs and priorities. 

Product 

Adoption 

2 Days (Security  ADS 1)

4 hours (MCRA)

Microsoft Cybersecurity Reference Architectures provide guidance on end to end technical architectures 

The Security Architecture Design Session (ADS) Module 1 guides you through additional architectural 

context including guiding principles, a 'Rosetta Stone' of security models, cross‐discipline integrated scenarios, shared responsibility models, technical plans, and more. 

End to End 

Technical 

Architecture

Custom  scope

4 hours

The CISO workshop enables senior security and technology leaders (CISOs, CIOs, directors, and others) to 

accelerate security strategy and program modernization with best practices and lessons learned. The workshop covers all aspects of a comprehensive security program including recommended strategic initiatives, roles and responsibilities guidance, reference success metrics, maturity models, Zero Trust 

Plan and Execute Initiatives

Full  Workshop

Topic  Summary 

Title and Description Use Case

TBD when  available

4 hours 

Security ADS Module 2  ‐ Secure Identities and Access provides guidance for planning and architecting access 

control to secure access to a 'hybrid of everything' modern enterprise, mitigate attacks on privileged accounts, and integrate identity and network access strategies together. 

The full workshop (currently in development) provides additional detail on a policy‐driven adaptive access 

control (integrating identity, network, and other access controls) including includes maturity models, success criteria, recommended technical architectures, a Microsoft case study, and a planning exercise to map out your journey by tailoring reference plans to your unique needs. 

The full workshop provides additional detail on attacks and incident response, recommended processes and 

metrics, putting an XDR + SIEM + Security Data Lake Strategy into action, Microsoft case study, advanced functions (threat hunting, detection engineering, incident management, threat intelligence), outsourcing considerations, and a planning exercise to map out your journey. 

Security 

Operations 

(SecOps/SOC)

TBD when  available

4 hours 

Security ADS Module 4 ‐ Infrastructure & Development Security provides guidance for planning and 

architecting infrastructure and development security for multi cloud environments, including how to address the simultaneous challenges of rapidly evolving infrastructure, securing workloads and applications as you develop them, and building a teamwork‐oriented DevSecOps approach for keeping up with rapidly evolving threats, technology, and business requirements. 

Security Adoption Framework

aka.ms/saf

Security Resources

Security Documentation

aka.ms/SecurityDocs

▪ Rapidly modernize your security posture for Zero Trust

▪ Secure remote and hybrid work with Zero Trust

▪ Identify and protect sensitive business data with Zero Trust

▪ Meet regulatory and compliance requirements with Zero Trust

Zero Trust

Architecture

• Microsoft Cybersecurity Reference Architectures (MCRA) - aka.ms/MCRA | -videos

• Zero Trust Deployment Guidance - aka.ms/ztguide | aka.ms/ztramp

• Ransomware and Extortion Mitigation - aka.ms/humanoperated

• Backup and restore plan to protect against ransomware - aka.ms/backup

Secure Identities and

Product Capabilities

www.microsoft.com/security/business • Security Product Documentation Azure | Microsoft 365 Microsoft Security Response Center (MSRC) www.microsoft.com/en-us/msrc

• Microsoft Cloud Security Benchmark (MCSB)

• Defender for Cloud Documentation

• Securing Privileged Access (SPA)

• Zero Trust User Access

• Microsoft Entra Documentation

aka.ms/entradocs

• Incident Response - aka.ms/IR

• CDOC Case Study - aka.ms/ITSOC

• Insider Risk Management

• Microsoft Purview Documentation

aka.ms/purviewdocs

• Ninja Training

• Defender for IoT Training

• MCRA Videos

• MCRA Video OT & IIoT Security

• Defender for IoT Documentation

aka.ms/D4IoTDocs

Key Industry References and Resources

Zero Trust Commandments - https://pubs.opengroup.org/security/zero-trust-commandments/Zero Trust Reference Model - https://publications.opengroup.org/security-library

Security Principles for Architecture - https://publications.opengroup.org/security-library

Cybersecurity Framework - https://www.nist.gov/cyberframeworkZero Trust Architecture - https://www.nist.gov/publications/zero-trust-architecture

Secure Software Development Framework (SSDF) - https://csrc.nist.gov/pubs/sp/800/218/finalZero Trust Maturity Model - https://www.cisa.gov/zero-trust-maturity-model

CIS Benchmarks – https://www.cisecurity.org/cis-benchmarks/

Why are we having a Zero Trust conversation?

3 Assets increasingly leave the network

4 Attackers shift to identity attacks

Infrastructure &

Development Security IoT and OT Security Operations Modern Security (SecOps/SOC)

Data Security & Governance

Zero Trust Architecture

Security Strategy and Program

Security Modernization with Zero Trust Principles

Secure Identities

and Access

Business Enablement

Align security to the organization’s

mission, priorities, risks, and processes

Assume Breach (Assume Compromise)

Assume attackers can and will successfully attack anything (identity, network, device, app, infrastructure, etc.) and plan accordingly

Verify Explicitly

Protect assets against attacker control by explicitly validating that all trust and security decisions use all relevant available information and telemetry

Use least-privilege access

Limit access of a potentially compromised asset, typically with in-time and enough-access (JIT/JEA) and risk-based polices like adaptive access control

just-Zero Trust Principles

Use least privilege access

Limit access of a potentially compromised asset, typically with just-in-time and just-enough-access (JIT/JEA) and risk-based polices like adaptive access control

Use least privilege access

Limit access of a potentially compromised asset, typically with just-in-time and just-enough-access (JIT/JEA) and risk-based polices like adaptive access control

Asset/Node = account, app, device,

VM, container, data, API, etc.

Verify explicitly

Protect assets against attacker control by

explicitly validating that all trust and security

decisions use all relevant available information

and telemetry

Verify explicitly

Protect assets against attacker control by

explicitly validating that all trust and security

decisions use all relevant available information

and telemetry

Business Enablement

Align security to the organization’s mission, priorities, risks, and processes

Business Enablement

Align security to the organization’s mission, priorities, risks, and processes

Assume Breach (Assume Compromise)

Assume attackers can and will successfully attack anything (identity, network, device, app, infrastructure, etc.) and plan accordingly

Assume Breach (Assume Compromise)

Assume attackers can and will successfully attack anything (identity, network, device, app, infrastructure, etc.) and plan accordingly

Assume breach | Explicitly Verify | Least privileged

Apply Zero Trust principles

Key changes across security disciplines

Asset-centric protections

Automated threat response

Asset–centric detection and response (XDR) End to end visibility (SIEM)

Threat modelling

All elements informed by threat and business intelligence,

assisted by security engineering/automation

Just-in-time & Just-enough-access (JIT/JEA)

Cloud Infrastructure Entitlement Management (CIEM)

General strategy shift from

‘assume safe network’

Security Disciplines

Privileged Access Workstations (PAWs)

For SOC Analysts, IT Admins, and business critical assets

Secure Access Service Edge (SASE)

DevSecOps and CI/CD process integration

of best practices (Static and dynamic analysis, etc.)

Business Enablement

Key Industry Collaborations

The Open Group

Focused on architecture and implementation with available technology

Many organizations are contributing valuable perspectives and guidance like the Cybersecurity and Infrastructure Security Agency (CISA), Cloud Security Alliance (CSA), and some technology vendors

Key Zero Trust Models and Architectures

Focused on integration with business

and IT/Enterprise/Security architecture Focused on architecture and

implementation with available technology

Key Zero Trust Capabilities

Increase security and flexibility for continuously changing business, technology, threats, and regulations

Asset-Centric Protection

(Data-Centric & System-Centric)

Risk Controls - establish overall security framework based on organizational risk

Asset-Centric Security Operations – rapid and complete detection, response, and recovery from attacks

Asset Protection

Classification, Protection, TokenizationDigital Ecosystems

Microsoft Security Capability Mapping

The Open Group Zero Trust Components

Rapid Threat Detection, Response, and Recovery

Asset-Centric Security Operations

Microsoft Entra

Conditional Access

Microsoft Entra

Conditional Access

Defender for Endpoint

Endpoint Detection and

Security telemetry from across the environment

Microsoft Purview

65+ Trillion signals per day of security context

65+ Trillion signals per day of security context

GitHub Advanced Security

& Azure DevOps Security

Secure development and software supply chain

Entra Internet Access Entra Private Access

Defender for Cloud

Azure Arc

Microsoft Purview Microsoft Priva

Distributed Policy Enforcement Points (PEPs)

Endpoint  SecurityUser

Device

Mobile Device

Device (with SDP Client)

Policy Enforcement / Admin (PE/PA)

Data Loss Prevention (DLP)

Document

Policy Determine Access Endpoint Security

Purview

DLP

Purview

Information Protection

Purview

Mobile App Mgmt

Defender for Cloud Apps Information

Entra Permissions Management Defender for Cloud

Microsoft Cloud Security Benchmark

Defender for Office 365

3P SaaS

Azure IaaS

Azure Arc Defender

for Identity Intune

VPN Backend Connector

Azure Automanage

Entra Private Access

Defender for Endpoint

Endpoint Detection and

Defender Application Guard

Infrastructure & Access

ON-PREM APPS & WORKLOADS

Data

Database File share Storage

CLOUD APPS & WORKLOADS

Implemented in NCCoE lab (Summer 2023)

Defender for Identity Defender for Cloud Apps Defender for Cloud Defender for Endpoint Defender for Office 365

Security telemetry from across the environment

Entra ID Entra ID Governance

Grant Access

Software Defined Perimeter(SDP)

Policy Enforcement Point (PEP)

Entra ID

Conditional Access

Entra Internet Access

Feedback mechanisms enable continuous improvement