Skip to content

Framework structure

Jump to bottom
Alexander Filipin edited this page Apr 30, 2021 · 16 revisions

High level overview of personas, context and security controls.

We need to determine which security controls are required, the combination of persona and context will determine it. Below is a overview of the elements used in different frameworks trying to bring puzzle pieces together.

Personas

Technical / organizational view

  • Internals (Employees)
  • Externals (with Corp identity)
  • Guests (B2B External User)
  • Admins
  • External Admins (with Corp identity)
  • Guest Admins
  • Service Accounts
  • Service Principals
  • General/catch the rest
  • ...

SPA view

  • Standard user
  • High impact user / developer
  • IT Operations

Cloud Adoption Framework enterprise-scale view

  • Platform owner
  • NetOps
  • SecOps
  • AppOps/DevOps
  • Subscription / landing zone owner

Context

Categories used in this repositories policy sets

  • Admin protection
  • Base protection
  • Attack surface reduction
  • Application protection
  • Data protection
  • Compliance

SPA Planes

  • Control
  • Management
  • Data/Workload

M365 security three tiers of protection

  • Baseline
  • Sensitive
  • Highly regulated

Microsoft Information Protection sensitivity labels

  • Personal
  • Public
  • General
  • Confidential
  • Highly Confidential

Cloud Adoption Framework enterprise-scale architecture

  • Platform (Identity, Management, Connectivity)
  • Landing zones

Conditional access controls

  • Conditions (Apps, Authentication context, ...)

Security controls

SPA security controls

  • Enterprise
  • Specialized
  • Privileged

NIST authentication levels

  • Level 1
  • Level 2
  • Level 3
  • Level 4

Conditional access controls

  • Require compliant device
  • Require MFA
  • Require session controls
  • ...
Clone this wiki locally