I picked up a copy of The Chicago Manual of Style at a local flea market last weekend. The guide covers all aspects of editorial practice, including grammar and usage, formatting, and copy editing. I have a few books like this on my bookshelf, which hail from my years working in corporate communication and design.
Flicking through the book it occurred to me that it is analogous to the various frameworks and guidelines provided to help architects and engineers to deploy and secure workloads utilising best practices such as NIST, CIS Controls, ISO standards, etc.
In this post, I want to have a look at my top five frameworks or best practice guidelines that Microsoft provides.
Microsoft Cybersecurity Reference Architectures (MCRA)
There is only really one place to start and that is with the Microsoft Cybersecurity Reference Architectures (MCRA). The MCRA describes and illustrates Microsoft’s cybersecurity capabilities and technologies.
The MCRA includes detailed technical diagrams for Microsoft cybersecurity capabilities, zero trust user access, security operations (SecOps/SOC), operational technology (OT), multi-cloud and cross-platform capabilities, attack chain coverage, infrastructure and development security, and security organizational functions.
The recent update weighs in at ninety-five PowerPoint slides that can be used as a starting template for a security architecture, a comparison reference for security capabilities, a learning tool, and a resource to learn about Microsoft’s integration investments and cybersecurity.
For more info on the Microsoft Cybersecurity Reference Architectures (MCRA) see https://aka.ms/MCRA
Microsoft cloud security benchmark (MCSB)
The Microsoft cloud security benchmark (MCSB) is a set of security recommendations for cloud services. It consists of two key aspects:
Security controls: These are general security best practices that apply to all cloud workloads2. They also identify the stakeholders involved in implementing them.
Service baselines: These are specific security configurations for individual cloud services. Currently, they are only available for Azure services.
MCSB can help customers who are new to cloud, want to improve their cloud security posture, use multi-cloud environments, need to meet compliance requirements, or want to evaluate the security features of different cloud platforms. MCSB also maps to industry standards such as CIS, NIST, and PCI-DSS. MCSB can be monitored using Microsoft Defender for Cloud and enforced using features like Azure Blueprints, Azure Policy, or similar tools from other cloud platforms.
For more info on the Microsoft cloud security benchmark (MCSB) see https://aka.ms/MCSB
Microsoft Cloud Adoption Framework for Azure (CAF)
The Microsoft Cloud Adoption Framework for Azure is a full lifecycle framework that enables cloud architects, IT professionals, and business decision makers to achieve their cloud adoption goals 1. It provides best practices, documentation, and tools that help you create and implement business and technology strategies for the cloud.
The framework consists of the following phases:
Strategy: Define your cloud adoption strategy, including motivations, business outcomes, financial considerations, and technical considerations.
Plan: Plan your cloud adoption journey, including rationalizing your digital estate, organizational alignment, skills readiness plan, DevOps cloud adoption plan, and operating model alignment.
Ready: Prepare your environment for cloud adoption, including Azure landing zone conceptual architecture, Azure landing zone design areas, and implementation options.
Migrate: Migrate your workloads to the cloud, including Azure migration guide, migration scenarios, cloud migration best practices, and process improvements.
Innovate: Innovate in the cloud, including business value consensus, building your first MVP, measuring for customer impact, and expanding digital inventions.
Secure: Secure your cloud environment, including risk insights, business resilience, asset protection, and security controls.
Manage: Manage your cloud environment, including business commitments, management baseline, and operations and design principles.
Govern: Govern your cloud environment, including methodology, benchmark assessment, and governance foundation.
The framework also includes guidance for each phase of your cloud adoption journey, antipatterns to avoid, and more.
For more info on Microsoft Cloud Adoption Framework for Azure (CAF) see https://aka.ms/CAF
Azure Landing Zones (ALZ)
What used to be called the Azure Enterprise Landing Zone is now simply Azure Landing Zone (ALZ) falls into the Ready section of CAF but it is well worth its own mention.
ALZ is a conceptual architecture that follows key design principles across eight design areas which are Azure billing and Microsoft Entra tenant, identity and access management, resource organization, network topology and connectivity, security, management, governance, and platform automation and DevOps.
The Azure landing zone architecture is scalable and modular to meet various deployment needs. A repeatable infrastructure allows you to apply configurations and controls to every subscription consistently. Modules make it easy to deploy and modify specific Azure landing zone architecture components as your requirements evolve.
The Azure landing zone consists of two types of subscriptions: platform landing zones and application landing zones. A platform landing zone is a subscription that provides shared services (identity, connectivity, management) to applications in application landing zones. Consolidating these shared services often improves operational efficiency. application landing zone is a subscription that contains one or more applications.
For more info on Azure Landing Zones (ALZ) see https://aka.ms/ALZ
Azure Well-Architected Framework (WAF)
The Azure Well-Architected Framework (WAF) is a set of quality-driven tenets, architectural decision points, and review tools intended to help solution architects build a technical foundation for their workloads and is designed to help you create and maintain cloud architectures that align with industry standards.
It consists of five pillars of architecture excellence: Cost Optimization, Operational Excellence, Performance Efficiency, Reliability, and Security.
The WAF provides a set of best practices and guidelines that help you build secure, high-performing, resilient, and efficient infrastructure for applications on Azure and includes review tools that can be used to assess your readiness in deploying to production.
The WAF also maps to industry standards such as CIS, NIST, and PCI-DSS.
As a solution architect, one wants to build reliable, secure, and performant workloads that maximize the value of investment in Azure infrastructure. Start with the Pillars, and align your design choices with the principles. Then, build a strong foundation for your workload based on technical design areas. Finally, use review tools to assess your readiness in deploying to production.
For more info on Azure Well-Architected Framework (WAF) see https://aka.ms/WAF
Conclusion
Best practices evolve over time in all industries. In IT, as an industry that is constantly on fast forward, what is considered best practice can change rapidly over the course of time. As an example cybersecurity has evolved from a perimeter-based approach, to identity-based security, through to a zero-trust model, and having guidelines like those listed above gives us principals and guardrails to help deploy things in a secure, consistent and repeatable manner.
I would love to hear which framework or guidelines you find the most useful. Either from the list above or something I may have missed!
Please leave your comments below.
I also have a weakness for obscure books, but especially completely outdated IT books!