High level overview of personas, context and security controls.

We need to determine which security controls are required, the combination of persona and context will determine it. Below is a overview of the elements used in different frameworks trying to bring puzzle pieces together.

Personas

Technical / organizational view

• Internals (Employees)
• Externals (with Corp identity)
• Guests (B2B External User)
• Admins
• External Admins (with Corp identity)
• Guest Admins
• Service Accounts
• Service Principals
• General/catch the rest
• ...

SPA view

• Standard user
• High impact user / developer
• IT Operations

Cloud Adoption Framework enterprise-scale view

• Platform owner
• NetOps
• SecOps
• AppOps/DevOps
• Subscription / landing zone owner

Context

Categories used in this repositories policy sets

• Admin protection
• Base protection
• Attack surface reduction
• Application protection
• Data protection
• Compliance

SPA Planes

• Control
• Management
• Data/Workload

M365 security three tiers of protection

• Baseline
• Sensitive
• Highly regulated

Microsoft Information Protection sensitivity labels

• Personal
• Public
• General
• Confidential
• Highly Confidential

Cloud Adoption Framework enterprise-scale architecture

• Platform (Identity, Management, Connectivity)
• Landing zones

Conditional access controls

• Conditions (Apps, Authentication context, ...)

Security controls

SPA security controls

• Enterprise
• Specialized
• Privileged

NIST authentication levels

• Level 1
• Level 2
• Level 3
• Level 4

Conditional access controls

• Require compliant device
• Require MFA
• Require session controls
• ...