Cybersecurity architects must have a solid foundation in the design and integration of security across multiple environments. As is the case with any design, planning is necessary at the beginning before any formal architecture can be created and performed. The cybersecurity architect must understand the current environment and how the various components of that environment interact and integrate. This includes the controls that are currently in place and how they are used.

Cybersecurity architects will be involved in designing security architectures based on best practices and security frameworks, as well as existing company environments. You may be asked to retrofit security controls from an on-premises environment to cloud environments that are part of a company’s journey to the cloud. This requires a broad understanding of not just Microsoft technology but...

Cybersecurity, as is the case with most information technology (IT), is thought of by businesses as unavoidable and something that must be implemented. Therefore, a cybersecurity architect needs to be able to align the controls to protect the company with the business goals of the company.

Cyber-attacks affect companies in diverse ways. They can damage the reputation of the victim company in the case of a high-profile attack, cause economic damage if important business documents or financial data are breached, and lead to regulatory costs from potential fines if the breach is caused by inadequately addressing compliance standards.

Each of these business impacts needs to be addressed and presented to the company when building a cybersecurity architecture. A proper risk analysis should be done for threats to identify proper security controls and present them to the company to help them understand the security and business impact...

Now that you understand the security posture, defense-in-depth, and shared responsibility as you begin to architect cybersecurity for the cloud, it is time to discuss the makeup of a security operations team and the levels of a cybersecurity attack.

In Chapter 1, Cybersecurity in the Cloud, the concept of building a defense-in-depth security strategy was discussed. In this section, you will take each of those defense-in-depth requirements and align them with some security products, services, and processes. Figure 2.3 shows the defense-in-depth strategy:

Figure 2.3: Defense-in-depth security diagram

Each of these layers can be protected with controls that a cybersecurity architect should address in the design.

Physical

The physical level of defense includes the actual hardware technology and spans the entire data center facility. In a cloud infrastructure, the cloud provider, such as...

Not everything about cybersecurity involves protecting against threats and vulnerabilities. A key part of a cybersecurity architecture is having resiliency within the design. A resilient architecture will protect a company against disruption or data loss from an attack. Building a resilient architecture is within the network, compute, and storage design. Creating a resilient strategy for your architecture provides a level of business continuity to your company. This can allow continued operations in the case of a disastrous event.

Note

NIST 800-160 provides some guidance on resiliency and business continuity here: https://csrc.nist.gov/pubs/sp/800/160/v2/r1/final.

Resilient networks are built within virtual networking and security designed to provide both segmentation and redundancy throughout the architecture. Maintaining segmentation between private and public resources while also creating geographic separation and redundancy...

This chapter has discussed several strategies and ways to implement zero trust, defense-in-depth, and resiliency in the architecture. At the time of writing, most companies have more than just Microsoft services and solutions within their infrastructure. Therefore, a cybersecurity architect needs to account for those additional environments in their design for the company. This includes private or on-premises data centers, other cloud providers (AWS or GCP), and multi-tenant Microsoft environments. Let us look at each of these and how to integrate them into the security strategy:

• Private data centers: Most companies today have a combination of private and public infrastructures also known as hybrid infrastructures. These architectures create complexity in network communications, identity and access management, and applications. The challenge is that these legacy private data centers have existing security...

The last section of this chapter addresses how you would develop a strategy for traffic filtering and segmentation. In the Translating Security Requirements into Technical Capabilities section, you learned about protecting the network perimeter through network segmentation by utilizing different virtual networks and filtering traffic with Azure Firewall or a WAF.

As a cybersecurity architect, you need to recognize the areas that require this filtering and network segmentation. As has been stated previously, taking a proper inventory of controls that are currently in place; understanding the business requirements; knowing local regulations, standards, and jurisdictions; and determining the industry requirements for your company all play a crucial role in determining how to design the technical and governance requirements of your security architecture.

Traffic filtering can be addressed in multiple...

In this chapter, you learned about the areas of design and architecture, which are part of the overall security strategy. This included the MCRA for building that foundational architectural strategy. You also learned about the need to understand business goals to align them with your security strategy. You explored the solutions and services that can be used for a defense-in-depth security strategy. You also discovered the steps of building a resilient security architecture. This included the integration of hybrid, multi-cloud, and multi-tenant infrastructures, and technical governance for traffic filtering and network segmentation. These strategies are the foundation of the concepts of cybersecurity architecture and the zero-trust methodology.

The next chapter will discuss the strategies for designing the architecture for security operations.