Power Platform & Dynamics 365 Cloud Solution Architect Assets
Service Offerings Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Welcome to CSA Assets!
  2. /
  3. Well-Architected Framework
  4. /
  5. Security
  6. /
  7. Security Assessment Guidance 04 How Do You Segment Your Workload as a Defense in Depth Measure

Security Assessment Guidance 04 How Do You Segment Your Workload as a Defense in Depth Measure

Security Assessment - Defense in Depth

Question: How do you segment your workload as a defense-in-depth measure?

Identifying the boundaries between your development, testing, and production environments and also between the individual components within them allows you to implement proper isolation between these environments and components. If any of the components becomes compromised, this isolation shrinks the blast radius.

Comments

Question Responses

[X] We implement the defense-in-depth concept in our workload, take a layered approach toward security, and ensure clear segmentation boundaries.

Defense in depth provides a multi-layered security strategy, which is fundamental in minimizing the impact of a breach. This strategy confines the threat to the compromised segment, which prevents it from spreading throughout the system. This approach helps ensure that if one layer is breached, others remain intact and able to safeguard the data.

Comments

References

[X] We recognize identity as the primary security perimeter for this workload.

Recognizing identity as the primary security perimeter means assigning role-based access, minimizing anonymous interactions, and instituting diverse access scopes across various segments to manage permissions from development to production stages. Additionally, identities of applications and management must be thoughtfully distinguished, by potentially using different systems for each identity type. The principle of least-privilege access is the foundation of this approach. It begins by granting the most constrained access and only widens scopes cautiously and strategically.

[X] We have clear lines of workload responsibility and have implemented access controls accordingly.

The explicit delineation of roles and responsibilities minimizes ambiguity. Specifically, the delineation streamlines incident response by directing matters to accountable parties or teams. Ensuring that stakeholders have crystal-clear comprehension of their duties diminishes the risk of human error and automation failures. The result is enhanced operational efficiency.

[X] We established network segmentation perimeter controls.

Network segmentation perimeter controls include edge perimeters, firewalls, data flows, and intent-based boundaries. Network perimeters and segmentation restrict the lateral movements of malicious entities through the network. As a result, the blast radius is mitigated, and unauthorized access and data leaks are prevented. This containment strategy is vital in isolating potential security incidents and protecting unaffected segments from compromise.

[X] We segregate resources by using resource organization and isolate resources by using separate solutions and environments.

Organizing resources into solutions and using separate environments provides a way to isolate resources. These safeguards ensure that a breach in one segment doesn’t turn into a systemic failure. As a result, they help to sustain operational integrity across various workload components.

gdoc_arrow_left_alt Security Assessment Guidance 03 Have You Classified All Data Persisted by the Workload Security Assessment Guidance 05 What Identity and Access Controls Do You Use to Secure Your Application gdoc_arrow_right_alt