Merge pull request #53646 from ceperezb/CEPEREZB-sc100-design-caf-waf

Ceperezb sc100 design caf waf

Author: Stacyrch140

learn-pr/wwl-sci/design-solutions-align-cloud-adoption-framework-well-architected-framework/7b-define-security-strategy.yml

@@ -9,6 +9,6 @@ metadata:
   ms.author: ceperezb
   ms.topic: unit
   ai-usage: ai-generated
-durationInMinutes: 13
+durationInMinutes: 14
 content: |
   [!include[](includes/7b-define-security-strategy.md)]

learn-pr/wwl-sci/design-solutions-align-cloud-adoption-framework-well-architected-framework/includes/7b-define-security-strategy.md

@@ -1,6 +1,6 @@
-The previous unit showed how to evaluate an existing security posture and design a strategy from the findings. But what if your organization lacks a formal security strategy altogether? Organizations adopting cloud for the first time, startups scaling beyond their initial infrastructure, and enterprises that historically relied on implicit security practices all face the same challenge—they need to design a security and governance strategy before they can evaluate against one.
+The previous unit showed how to evaluate an existing security posture and design a strategy from the findings. But what if your organization lacks a formal security strategy altogether? Organizations without one—whether adopting cloud for the first time or scaling beyond implicit security practices—need to design a strategy before they can evaluate against one.
 
-This unit covers how to design a new strategy for security and governance based on the Cloud Adoption Framework (CAF) and the Well-Architected Framework (WAF). CAF provides the organizational and lifecycle structure—how to plan, adopt, govern, and manage security across your cloud estate. WAF provides the architectural quality standards—what security properties your workloads must exhibit. A comprehensive strategy draws on both: CAF shapes the strategic direction and governance model, while WAF defines the security requirements that workloads must satisfy.
+This unit covers how to design a new strategy for security and governance based on the Cloud Adoption Framework (CAF) and the Well-Architected Framework (WAF). CAF provides the organizational and lifecycle structure—how to plan, adopt, govern, and manage security across your cloud estate. WAF provides the architectural quality standards—what security properties your workloads must exhibit.
 
 ## Recognize when you need a new strategy
 
@@ -11,7 +11,7 @@ Defining a new security strategy is appropriate when one or more of these condit
 - **Major transformation**: The organization is undergoing a significant shift—such as a first cloud adoption, a merger, or a move to a new operating model—that invalidates prior assumptions.
 - **Regulatory change**: New compliance requirements demand a fundamentally different security approach rather than incremental adjustments.
 
-If a documented cloud security strategy already exists, use the evaluation approach from the previous unit instead. Defining a new strategy and evaluating an existing one are complementary activities—most organizations cycle between both as their environment evolves.
+If a documented cloud security strategy already exists, use the evaluation approach from the previous unit instead.
 
 ## Address organizational readiness
 
@@ -23,6 +23,16 @@ Cloud security requires a broader set of participants than traditional on-premis
 
 **Secure executive sponsorship.** A security strategy without executive backing becomes a document that nobody follows. Ensure leadership understands the business rationale—risk reduction, compliance enablement, and business agility—and commits resources for implementation.
 
+## Establish security objectives
+
+Before defining how to address each strategy component, establish what security must achieve. Work with business stakeholders to define objectives that are:
+
+- **Business-aligned**: Tie each objective to a business outcome—revenue protection, customer trust, or regulatory compliance.
+- **Risk-informed**: Prioritize based on threat likelihood and business impact. Focus resources where potential harm is greatest.
+- **Measurable**: Define metrics that demonstrate progress—reduction in exposure, detection coverage, or mean time to remediate.
+
+These objectives become the criteria for evaluating each strategy component that follows.
+
 ## Define strategy components
 
 The CAF Secure methodology organizes security strategy into six components. Each addresses a distinct aspect of your security posture and together they form a comprehensive strategy. As you define each component, the WAF security pillar provides the architectural requirements that translate strategic intent into workload-level design decisions.
@@ -31,8 +41,10 @@ The CAF Secure methodology organizes security strategy into six components. Each
 
 Security posture modernization means continuously improving your defensive capabilities to keep pace with evolving threats. This component addresses:
 
+- **Identity and access governance**: In cloud environments, identity is the primary control plane. Define policies for authentication strength, privileged access lifecycle, conditional access based on risk signals, and service identity management. MCSB dedicates two domains—Identity Management and Privileged Access—to these controls, and WAF checklist item SE:05 specifies workload-level identity and access requirements.
+- **Network segmentation**: Define a network architecture that enforces isolation between trust zones, segmented by workload sensitivity and function. WAF checklist item SE:06 specifies workload-level network controls including traffic filtering and ingress/egress restrictions.
 - **Asset visibility**: You can't protect what you can't see. Establish a comprehensive inventory of identities, devices, applications, data, and infrastructure across cloud and on-premises environments.
-- **Configuration baselines**: Define secure configuration standards for each asset category. Use the Microsoft Cloud Security Benchmark as a control framework to establish baseline requirements across 12 security domains—from network security and identity management to data protection and AI workload security. At the workload level, WAF checklist item SE:01 reinforces this by requiring a security baseline aligned to compliance requirements, industry standards, and platform recommendations.
+- **Configuration baselines**: Define secure configuration standards for each asset category. Use the Microsoft Cloud Security Benchmark to establish baseline requirements across its 12 security domains. WAF checklist item SE:01 reinforces this by requiring a security baseline aligned to compliance requirements, industry standards, and platform recommendations.
 - **Continuous assessment**: Implement automated tools that measure posture against your baselines. *Microsoft example: Microsoft Defender for Cloud provides cloud security posture management (CSPM) with secure score and regulatory compliance dashboards.*
 
 #### Adopt Zero Trust as a strategic foundation
@@ -43,7 +55,7 @@ The CAF Secure methodology positions Zero Trust adoption as a core element of po
 - **Use least privilege**: Limit access with just-in-time and just-enough-access policies, risk-based adaptive controls, and data protection requirements tied to sensitivity levels.
 - **Assume breach**: Minimize blast radius through segmentation. Verify end-to-end encryption. Use analytics to detect threats and improve defenses proactively.
 
-These principles apply across all six pillars of a Zero Trust architecture: identities, devices, applications, data, infrastructure, and networks. When defining your strategy, map each principle to specific controls within each pillar rather than treating Zero Trust as an abstract goal. The WAF security design principle "plan your security readiness" explicitly requires accounting for Zero Trust and the CIA Triad when creating a workload-level security readiness plan.
+These principles apply across six Zero Trust pillars: identities, devices, applications, data, infrastructure, and networks. Map each principle to specific controls within each pillar rather than treating Zero Trust as an abstract goal. The WAF design principle "plan your security readiness" requires accounting for Zero Trust and the CIA Triad in workload-level planning.
 
 ### Incident preparedness
 
@@ -52,14 +64,15 @@ No security strategy eliminates all risk. Your strategy must account for how the
 - **Detection capabilities**: Define monitoring coverage requirements for each environment—cloud workloads, identity systems, network traffic, and endpoint activity. Specify detection time targets for critical threat categories.
 - **Response procedures**: Establish incident response plans that define roles, communication channels, escalation paths, and decision authority. Include procedures for both contained incidents (single-workload compromise) and broad-impact scenarios (identity provider compromise, supply chain attack). WAF checklist item SE:12 requires workload-specific incident response procedures covering localized issues through disaster recovery.
 - **Recovery objectives**: Set recovery time objectives (RTO) and recovery point objectives (RPO) for security-related outages. Define what "recovered" means for each critical system—restored operations, confirmed absence of persistence mechanisms, and validated integrity of data.
-- **Practice and refinement**: Conduct tabletop exercises and simulated attacks regularly. Update response procedures based on lessons learned and emerging threat intelligence.
+- **Practice and refinement**: Conduct tabletop exercises and simulated attacks regularly. Update procedures based on lessons learned.
 
 ### Confidentiality strategy
 
 Confidentiality ensures that sensitive information is accessible only to authorized entities. WAF checklist items SE:03 (classify and label data by sensitivity) and SE:07 (encrypt data using modern standards aligned to classification) provide the workload-level implementation requirements for this component. Your strategy should define:
 
 - **Data classification**: Establish classification levels (public, internal, confidential, highly confidential) and the criteria for assigning each level. Classification drives all downstream protection decisions.
-- **Data protection controls**: Map specific protection mechanisms to each classification level—encryption at rest and in transit, access controls, data loss prevention policies, and information barriers.
+- **Data protection controls**: Map specific protection mechanisms to each classification level—encryption at rest and in transit, access controls, and information barriers.
+- **Data loss prevention (DLP)**: Define a DLP strategy that prevents sensitive data from being shared, transferred, or exposed outside authorized boundaries. DLP policies should align to your classification levels and cover email, cloud storage, endpoints, and collaboration platforms.
 - **Regulatory alignment**: Identify which data falls under regulatory requirements (HIPAA, PCI-DSS, industry-specific mandates) and ensure your classification and protection scheme satisfies those obligations.
 - **Lifecycle management**: Define how data is handled from creation through disposal, including retention policies and secure deletion procedures.
 
@@ -89,17 +102,19 @@ A security strategy fails if it only addresses today's environment. Sustainment
 - **Threat landscape monitoring**: Assign responsibility for tracking emerging threats and technologies that could affect your security posture, including new attack techniques and evolving regulatory requirements.
 - **Skill development**: Plan for ongoing training and skills investment as cloud services and threat tactics evolve. Security knowledge has a short half-life; build learning into your operating model.
 
-## Structure the strategy document
+## Address governance and compliance
+
+A strategy without governance remains aspirational. Governance provides the enforcement mechanisms that translate strategic objectives into verifiable, consistent practice across your cloud estate:
+
+- **Policy-as-code**: Codify security requirements as automated policies that prevent noncompliant deployments, audit existing configurations, and remediate drift. *Microsoft example: Azure Policy evaluates resources against defined rules and can deny, audit, or auto-remediate noncompliant configurations.*
+- **Compliance mapping**: Map each strategy component to the regulatory and industry frameworks your organization must satisfy—HIPAA, PCI-DSS, sector-specific mandates, or internal standards. Track adherence through continuous compliance monitoring rather than periodic audits alone.
+- **Exception management**: Define a formal process for security exceptions—risk acceptance criteria, approval authority, time-bound expiration, and compensating controls. Without a clear exception process, teams bypass controls informally.
+- **Secure development lifecycle**: Commit to integrating security into every phase of software delivery—threat modeling during design, secure code review during development, automated security testing in deployment pipelines, and runtime protection in production. WAF checklist item SE:02 requires a hardened software supply chain with integrated threat modeling.
 
-Bring these components together into a documented strategy that maps CAF lifecycle phases to WAF quality requirements. The document should be something stakeholders can reference and act on:
+## Address AI workload security
 
-1. **Business context**: State the business drivers, risk appetite, and compliance obligations that shape security priorities.
-2. **Principles**: Define the security principles (Zero Trust, defense in depth, least privilege) that guide all decisions.
-3. **Strategy components**: Document posture modernization, incident preparedness, confidentiality, integrity, availability, and sustainment objectives with measurable targets. Reference the specific MCSB controls and WAF checklist items (SE:01–SE:12) that each objective addresses.
-4. **Scope mapping**: Assign each objective to the appropriate scope—strategy (CAF Secure methodology), platform (landing zones and MCSB), or workload (WAF security checklist)—so that the right teams own the right objectives. CAF-scope objectives address organizational direction and governance. Platform-scope objectives address infrastructure controls. Workload-scope objectives address the architectural requirements defined by WAF.
-5. **Phased roadmap**: Sequence implementation based on risk, business impact, and dependencies. Use the prioritization criteria discussed in the previous unit's gap analysis.
-6. **Success metrics**: Define how you measure progress—secure score targets, compliance percentages, mean time to detect, mean time to respond, and coverage metrics for each strategy component.
+Organizations deploying AI workloads face additional security concerns that traditional strategies don't cover. Your strategy should address model protection (securing model weights and training data as high-value assets), input validation (filtering for prompt injection and adversarial inputs), output controls (preventing data leakage through model responses), and monitoring for unusual query patterns. MCSB includes a dedicated AI security domain that provides controls for these scenarios.
 
-The strategy document doesn't need to be lengthy. Clarity and actionability matter more than comprehensiveness. A concise strategy that teams actually follow is more effective than a detailed document that sits unread.
+With all strategy components and governance mechanisms defined, document the strategy with measurable targets for each component, scope assignments—CAF for organizational objectives, landing zones for platform controls, WAF for workload requirements—and a phased roadmap prioritized by risk and business impact.
 
-With a security and governance strategy defined—whether from evaluation findings (previous unit) or from the ground up (this unit)—the next step is recommending specific solutions that implement each capability your strategy requires.
+The next step is recommending specific solutions that implement each capability your strategy requires.