From 6b28b05d815a806160c69a91c2a4dc249c6d4ce6 Mon Sep 17 00:00:00 2001 From: Kim Harjamaki Date: Sat, 3 Jan 2026 08:31:01 +0200 Subject: [PATCH] Harden site link resolution for Pages --- .editorconfig | 19 + .github/ISSUE_TEMPLATE/bug_report.yml | 21 + .github/ISSUE_TEMPLATE/doc_change.yml | 15 + .github/ISSUE_TEMPLATE/service_request.yml | 20 + .github/pull_request_template.md | 7 + .github/workflows/ci.yml | 34 ++ .gitignore | 7 + CODEX_INSTRUCTIONS.md | 422 ++++++++++++++++++ CODE_OF_CONDUCT.md | 24 + CONTRIBUTING.md | 27 ++ README.md | 81 ++++ SECURITY.md | 16 + agile/README.md | 9 + agile/backlog/README.md | 9 + agile/backlog/definition-of-done.md | 8 + agile/backlog/epics.md | 9 + agile/backlog/sample-backlog-items.md | 22 + agile/backlog/security-debt.md | 8 + agile/ceremonies/daily-standup.md | 5 + agile/ceremonies/retrospective.md | 6 + agile/ceremonies/review-demo.md | 6 + agile/ceremonies/sprint-planning.md | 6 + agile/operating-metrics/kpi-cadence.md | 9 + agile/operating-metrics/okrs.md | 9 + docs/00-executive-overview.md | 79 ++++ docs/01-service-definition.md | 56 +++ docs/02-service-catalog.md | 21 + docs/03-architecture-principles.md | 20 + docs/04-reference-architecture.md | 37 ++ docs/05-operating-model.md | 48 ++ docs/06-governance-and-raic.md | 22 + docs/07-metrics-and-kpis.md | 42 ++ docs/08-roadmap-and-maturity.md | 39 ++ docs/09-risk-management.md | 27 ++ docs/10-audit-readiness.md | 30 ++ docs/11-incident-response.md | 44 ++ docs/12-change-and-release.md | 40 ++ docs/13-exception-handling.md | 34 ++ docs/14-vulnerability-management.md | 23 + docs/15-access-management.md | 20 + docs/16-logging-monitoring-siem.md | 31 ++ docs/17-data-protection-and-keys.md | 19 + docs/18-hybrid-azure-local.md | 35 ++ docs/19-devsecops-pipelines.md | 55 +++ docs/20-runbooks/README.md | 11 + docs/20-runbooks/rbk-001-incident-triage.md | 16 + .../rbk-002-critical-vuln-response.md | 16 + .../rbk-003-policy-drift-remediation.md | 16 + docs/20-runbooks/rbk-004-breakglass-access.md | 16 + .../rbk-005-azure-arc-onboarding.md | 16 + .../rbk-006-sentinel-detection-tuning.md | 16 + docs/21-templates/README.md | 15 + docs/21-templates/template-change-request.md | 19 + .../template-exception-request.md | 23 + docs/21-templates/template-incident-report.md | 22 + docs/21-templates/template-kpi-dashboard.md | 11 + docs/21-templates/template-postmortem.md | 16 + docs/21-templates/template-risk-acceptance.md | 17 + docs/21-templates/template-risk-register.csv | 2 + docs/21-templates/template-service-review.md | 12 + .../template-sprint-ceremonies.md | 18 + .../template-weekly-security-ops.md | 12 + docs/22-diagrams/README.md | 13 + docs/22-diagrams/change-management.mmd | 10 + docs/22-diagrams/exception-handling.mmd | 6 + .../hybrid-logging-architecture.mmd | 6 + docs/22-diagrams/incident-response.mmd | 9 + docs/22-diagrams/policy-as-code-loop.mmd | 6 + docs/22-diagrams/security-operating-model.mmd | 5 + docs/22-diagrams/service-lifecycle.mmd | 7 + docs/22-diagrams/shared-responsibility.mmd | 8 + docs/assets/app.js | 63 +++ docs/assets/style.css | 80 ++++ docs/index.html | 39 ++ docs/pages/architecture.html | 31 ++ docs/pages/hybrid.html | 30 ++ docs/pages/kpis.html | 30 ++ docs/pages/operating-model.html | 30 ++ docs/pages/overview.html | 30 ++ docs/pages/roadmap.html | 30 ++ docs/pages/runbooks.html | 30 ++ docs/pages/service-definition.html | 30 ++ docs/pages/templates.html | 30 ++ impl/azure/landing-zone/README.md | 36 ++ impl/azure/landing-zone/bicep/main.bicep | 37 ++ .../landing-zone/bicep/modules/identity.bicep | 5 + .../landing-zone/bicep/modules/keyvault.bicep | 4 + .../bicep/modules/logging-siem.bicep | 4 + .../bicep/modules/network-hubspoke.bicep | 4 + .../bicep/modules/policy-assignments.bicep | 4 + impl/azure/landing-zone/terraform/README.md | 12 + impl/azure/landing-zone/terraform/main.tf | 21 + .../terraform/modules/identity/README.md | 3 + .../terraform/modules/logging/README.md | 3 + .../terraform/modules/network/README.md | 3 + .../terraform/modules/policies/README.md | 3 + impl/azure/policy-as-code/README.md | 20 + .../mgmt-group-assignment.example.json | 9 + .../subscription-assignment.example.json | 9 + .../cloud-security-baseline-initiative.json | 33 ++ .../iso27001-aligned-initiative.json | 28 ++ impl/azure/sentinel/README.md | 17 + .../impossible-travel.example.json | 9 + .../suspicious-admin-activity.example.json | 9 + .../playbooks/disable-user.example.json | 7 + .../playbooks/isolate-vm.example.json | 7 + impl/hybrid/azure-arc/README.md | 9 + .../azure-arc/onboarding/arc-onboard.ps1 | 13 + .../azure-arc/onboarding/arc-onboard.sh | 20 + .../policy-scope/arc-policy-scope.md | 10 + impl/hybrid/azure-local/README.md | 9 + .../secure-baseline/baseline-checklist.md | 21 + .../secure-baseline/logging-forwarding.md | 7 + 113 files changed, 2694 insertions(+) create mode 100644 .editorconfig create mode 100644 .github/ISSUE_TEMPLATE/bug_report.yml create mode 100644 .github/ISSUE_TEMPLATE/doc_change.yml create mode 100644 .github/ISSUE_TEMPLATE/service_request.yml create mode 100644 .github/pull_request_template.md create mode 100644 .github/workflows/ci.yml create mode 100644 .gitignore create mode 100644 CODEX_INSTRUCTIONS.md create mode 100644 CODE_OF_CONDUCT.md create mode 100644 CONTRIBUTING.md create mode 100644 README.md create mode 100644 SECURITY.md create mode 100644 agile/README.md create mode 100644 agile/backlog/README.md create mode 100644 agile/backlog/definition-of-done.md create mode 100644 agile/backlog/epics.md create mode 100644 agile/backlog/sample-backlog-items.md create mode 100644 agile/backlog/security-debt.md create mode 100644 agile/ceremonies/daily-standup.md create mode 100644 agile/ceremonies/retrospective.md create mode 100644 agile/ceremonies/review-demo.md create mode 100644 agile/ceremonies/sprint-planning.md create mode 100644 agile/operating-metrics/kpi-cadence.md create mode 100644 agile/operating-metrics/okrs.md create mode 100644 docs/00-executive-overview.md create mode 100644 docs/01-service-definition.md create mode 100644 docs/02-service-catalog.md create mode 100644 docs/03-architecture-principles.md create mode 100644 docs/04-reference-architecture.md create mode 100644 docs/05-operating-model.md create mode 100644 docs/06-governance-and-raic.md create mode 100644 docs/07-metrics-and-kpis.md create mode 100644 docs/08-roadmap-and-maturity.md create mode 100644 docs/09-risk-management.md create mode 100644 docs/10-audit-readiness.md create mode 100644 docs/11-incident-response.md create mode 100644 docs/12-change-and-release.md create mode 100644 docs/13-exception-handling.md create mode 100644 docs/14-vulnerability-management.md create mode 100644 docs/15-access-management.md create mode 100644 docs/16-logging-monitoring-siem.md create mode 100644 docs/17-data-protection-and-keys.md create mode 100644 docs/18-hybrid-azure-local.md create mode 100644 docs/19-devsecops-pipelines.md create mode 100644 docs/20-runbooks/README.md create mode 100644 docs/20-runbooks/rbk-001-incident-triage.md create mode 100644 docs/20-runbooks/rbk-002-critical-vuln-response.md create mode 100644 docs/20-runbooks/rbk-003-policy-drift-remediation.md create mode 100644 docs/20-runbooks/rbk-004-breakglass-access.md create mode 100644 docs/20-runbooks/rbk-005-azure-arc-onboarding.md create mode 100644 docs/20-runbooks/rbk-006-sentinel-detection-tuning.md create mode 100644 docs/21-templates/README.md create mode 100644 docs/21-templates/template-change-request.md create mode 100644 docs/21-templates/template-exception-request.md create mode 100644 docs/21-templates/template-incident-report.md create mode 100644 docs/21-templates/template-kpi-dashboard.md create mode 100644 docs/21-templates/template-postmortem.md create mode 100644 docs/21-templates/template-risk-acceptance.md create mode 100644 docs/21-templates/template-risk-register.csv create mode 100644 docs/21-templates/template-service-review.md create mode 100644 docs/21-templates/template-sprint-ceremonies.md create mode 100644 docs/21-templates/template-weekly-security-ops.md create mode 100644 docs/22-diagrams/README.md create mode 100644 docs/22-diagrams/change-management.mmd create mode 100644 docs/22-diagrams/exception-handling.mmd create mode 100644 docs/22-diagrams/hybrid-logging-architecture.mmd create mode 100644 docs/22-diagrams/incident-response.mmd create mode 100644 docs/22-diagrams/policy-as-code-loop.mmd create mode 100644 docs/22-diagrams/security-operating-model.mmd create mode 100644 docs/22-diagrams/service-lifecycle.mmd create mode 100644 docs/22-diagrams/shared-responsibility.mmd create mode 100644 docs/assets/app.js create mode 100644 docs/assets/style.css create mode 100644 docs/index.html create mode 100644 docs/pages/architecture.html create mode 100644 docs/pages/hybrid.html create mode 100644 docs/pages/kpis.html create mode 100644 docs/pages/operating-model.html create mode 100644 docs/pages/overview.html create mode 100644 docs/pages/roadmap.html create mode 100644 docs/pages/runbooks.html create mode 100644 docs/pages/service-definition.html create mode 100644 docs/pages/templates.html create mode 100644 impl/azure/landing-zone/README.md create mode 100644 impl/azure/landing-zone/bicep/main.bicep create mode 100644 impl/azure/landing-zone/bicep/modules/identity.bicep create mode 100644 impl/azure/landing-zone/bicep/modules/keyvault.bicep create mode 100644 impl/azure/landing-zone/bicep/modules/logging-siem.bicep create mode 100644 impl/azure/landing-zone/bicep/modules/network-hubspoke.bicep create mode 100644 impl/azure/landing-zone/bicep/modules/policy-assignments.bicep create mode 100644 impl/azure/landing-zone/terraform/README.md create mode 100644 impl/azure/landing-zone/terraform/main.tf create mode 100644 impl/azure/landing-zone/terraform/modules/identity/README.md create mode 100644 impl/azure/landing-zone/terraform/modules/logging/README.md create mode 100644 impl/azure/landing-zone/terraform/modules/network/README.md create mode 100644 impl/azure/landing-zone/terraform/modules/policies/README.md create mode 100644 impl/azure/policy-as-code/README.md create mode 100644 impl/azure/policy-as-code/assignments/mgmt-group-assignment.example.json create mode 100644 impl/azure/policy-as-code/assignments/subscription-assignment.example.json create mode 100644 impl/azure/policy-as-code/initiatives/cloud-security-baseline-initiative.json create mode 100644 impl/azure/policy-as-code/initiatives/iso27001-aligned-initiative.json create mode 100644 impl/azure/sentinel/README.md create mode 100644 impl/azure/sentinel/analytic-rules/impossible-travel.example.json create mode 100644 impl/azure/sentinel/analytic-rules/suspicious-admin-activity.example.json create mode 100644 impl/azure/sentinel/playbooks/disable-user.example.json create mode 100644 impl/azure/sentinel/playbooks/isolate-vm.example.json create mode 100644 impl/hybrid/azure-arc/README.md create mode 100644 impl/hybrid/azure-arc/onboarding/arc-onboard.ps1 create mode 100644 impl/hybrid/azure-arc/onboarding/arc-onboard.sh create mode 100644 impl/hybrid/azure-arc/policy-scope/arc-policy-scope.md create mode 100644 impl/hybrid/azure-local/README.md create mode 100644 impl/hybrid/azure-local/secure-baseline/baseline-checklist.md create mode 100644 impl/hybrid/azure-local/secure-baseline/logging-forwarding.md diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..7e452d0 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,19 @@ +root = true + +[*] +charset = utf-8 +end_of_line = lf +insert_final_newline = true +indent_style = space +indent_size = 2 +trim_trailing_whitespace = true + +[*.md] +max_line_length = 120 +trim_trailing_whitespace = true + +[*.{yml,yaml}] +indent_size = 2 + +[*.{js,css,html}] +indent_size = 2 diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml new file mode 100644 index 0000000..60fe24b --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -0,0 +1,21 @@ +name: Bug report +description: Report a bug or documentation issue +title: "[Bug]: " +labels: [bug] +body: + - type: textarea + id: description + attributes: + label: Description + description: What happened? + validations: + required: true + - type: textarea + id: expected + attributes: + label: Expected behavior + - type: textarea + id: context + attributes: + label: Context + description: Links or references diff --git a/.github/ISSUE_TEMPLATE/doc_change.yml b/.github/ISSUE_TEMPLATE/doc_change.yml new file mode 100644 index 0000000..e70a48e --- /dev/null +++ b/.github/ISSUE_TEMPLATE/doc_change.yml @@ -0,0 +1,15 @@ +name: Documentation change +description: Request a documentation update +title: "[Docs]: " +labels: [documentation] +body: + - type: textarea + id: change + attributes: + label: Requested change + validations: + required: true + - type: textarea + id: reason + attributes: + label: Reason diff --git a/.github/ISSUE_TEMPLATE/service_request.yml b/.github/ISSUE_TEMPLATE/service_request.yml new file mode 100644 index 0000000..3fbb35f --- /dev/null +++ b/.github/ISSUE_TEMPLATE/service_request.yml @@ -0,0 +1,20 @@ +name: Service request +description: Request a Cloud Security Service update +title: "[Service]: " +labels: [service] +body: + - type: textarea + id: request + attributes: + label: Request + description: Describe the requested service change + validations: + required: true + - type: dropdown + id: priority + attributes: + label: Priority + options: + - Low + - Medium + - High diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..6b8a8dc --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,7 @@ +# Summary + +## Checklist +- [ ] Docs updated +- [ ] Diagrams updated +- [ ] Evidence links updated +- [ ] Security impact assessed diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..17e165a --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,34 @@ +name: CI + +on: + pull_request: + push: + branches: [ main ] + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Markdown lint + uses: avto-dev/markdown-lint@v1 + with: + args: 'docs/**/*.md README.md CONTRIBUTING.md SECURITY.md' + + - name: Link check + uses: lycheeverse/lychee-action@v1 + with: + args: '--verbose --no-progress docs/**/*.md README.md' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Verify Mermaid blocks + run: | + rg "```mermaid" docs README.md + + - name: Validate JSON formatting + run: | + for file in $(rg --files -g '*.json' impl); do + jq empty "$file" + done diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..44a4702 --- /dev/null +++ b/.gitignore @@ -0,0 +1,7 @@ +.DS_Store +*.log +*.tmp +node_modules/ +.cache/ +.vscode/ +.idea/ diff --git a/CODEX_INSTRUCTIONS.md b/CODEX_INSTRUCTIONS.md new file mode 100644 index 0000000..03b3477 --- /dev/null +++ b/CODEX_INSTRUCTIONS.md @@ -0,0 +1,422 @@ +# CODEX INSTRUCTIONS — Cloud Security Service Model Repo (Enterprise-grade) + +You are Codex acting as a Staff+ Platform Service Owner (Cloud Security) and Technical Writer with security domain expertise. +Your task: create a brand-new public GitHub repo that simulates an enterprise Cloud Security service operating model. +Do NOT mention any real company names. Use generic terms like “the organization”, “global enterprise”, “platform team”. +Write as if the reader is: +- Head of Cloud Platform Services +- Security leadership (CISO org) +- Cloud engineering leads +- Audit/compliance stakeholders +Tone: crisp, enterprise, practical. Avoid buzzword soup. Prefer clear boundaries, RACI, measurable outcomes. + +## 0) Hard constraints +- Everything must fit in ONE repo with a coherent structure. +- Produce both Markdown documentation and a lightweight static HTML docs site. +- Include Mermaid diagrams for key process flows and lifecycle models. +- Include Azure AND “Azure Local / on-prem / hybrid” perspectives (Azure Arc, connectivity, policy scope, logging). +- Include security frameworks mapping: + - ISO/IEC 27001:2022 (controls mapping at high level; don’t copy copyrighted text; summarize) + - CISSP domain coverage (high level) + - NIST-like IR lifecycle framing (high level) +- Include Agile operating model (service-as-product, backlog, maturity roadmap, KPIs). +- Include “policy-as-code” examples (Azure Policy initiatives/assignments as JSON stubs), plus IaC stubs (Bicep/Terraform skeleton). +- Include runbooks, SLAs/SLOs, incident response playbooks, change management, exception handling, risk acceptance. +- Include a CI workflow that checks markdown, mermaid syntax, and link validity (best-effort). +- Everything must be public-safe: no secrets, no internal URLs, no real tenant IDs. +- Every major document must be complete, non-placeholder, and cross-linked to related docs and diagrams. + +## 1) Output format requirements +- Use Markdown for documentation (`docs/`). +- Use Mermaid (`.mmd` or embedded in MD) for flows. +- Use YAML for templates/workflows. +- Use JSON for Azure Policy stubs. +- Use HTML/CSS for `/site` static docs with a simple nav and search (JS optional). +- Provide consistent naming, cross-links, and an index. +- Avoid inline newline escapes like `\n` in Markdown lists. + +## 2) Repo name + branding +Repo title: `cloud-security-service-model` +Tagline: “A pragmatic, enterprise Cloud Security service operating model (Azure + Hybrid)” + +## 3) Repository structure (MUST create exactly this, plus any needed helpers) +/ + README.md + LICENSE + CODE_OF_CONDUCT.md + CONTRIBUTING.md + SECURITY.md + CODEX_INSTRUCTIONS.md (this file) + .editorconfig + .gitignore + + docs/ + 00-executive-overview.md + 01-service-definition.md + 02-service-catalog.md + 03-architecture-principles.md + 04-reference-architecture.md + 05-operating-model.md + 06-governance-and-raic.md + 07-metrics-and-kpis.md + 08-roadmap-and-maturity.md + 09-risk-management.md + 10-audit-readiness.md + 11-incident-response.md + 12-change-and-release.md + 13-exception-handling.md + 14-vulnerability-management.md + 15-access-management.md + 16-logging-monitoring-siem.md + 17-data-protection-and-keys.md + 18-hybrid-azure-local.md + 19-devsecops-pipelines.md + 20-runbooks/ + README.md + rbk-001-incident-triage.md + rbk-002-critical-vuln-response.md + rbk-003-policy-drift-remediation.md + rbk-004-breakglass-access.md + rbk-005-azure-arc-onboarding.md + rbk-006-sentinel-detection-tuning.md + 21-templates/ + README.md + template-risk-register.csv + template-exception-request.md + template-risk-acceptance.md + template-incident-report.md + template-postmortem.md + template-change-request.md + template-service-review.md + template-weekly-security-ops.md + template-sprint-ceremonies.md + template-kpi-dashboard.md + 22-diagrams/ + README.md + service-lifecycle.mmd + incident-response.mmd + change-management.mmd + exception-handling.mmd + policy-as-code-loop.mmd + hybrid-logging-architecture.mmd + shared-responsibility.mmd + security-operating-model.mmd + + impl/ + azure/ + landing-zone/ + README.md + bicep/ + main.bicep + modules/ + identity.bicep + network-hubspoke.bicep + logging-siem.bicep + keyvault.bicep + policy-assignments.bicep + terraform/ + README.md + main.tf + modules/ + identity/ + network/ + logging/ + policies/ + policy-as-code/ + README.md + initiatives/ + iso27001-aligned-initiative.json + cloud-security-baseline-initiative.json + assignments/ + mgmt-group-assignment.example.json + subscription-assignment.example.json + sentinel/ + README.md + analytic-rules/ + suspicious-admin-activity.example.json + impossible-travel.example.json + playbooks/ + isolate-vm.example.json + disable-user.example.json + hybrid/ + azure-arc/ + README.md + onboarding/ + arc-onboard.ps1 + arc-onboard.sh + policy-scope/ + arc-policy-scope.md + azure-local/ + README.md + secure-baseline/ + baseline-checklist.md + logging-forwarding.md + + agile/ + README.md + backlog/ + README.md + epics.md + sample-backlog-items.md + definition-of-done.md + security-debt.md + ceremonies/ + sprint-planning.md + daily-standup.md + review-demo.md + retrospective.md + operating-metrics/ + okrs.md + kpi-cadence.md + + docs/ + index.html + assets/ + style.css + app.js + pages/ + overview.html + service-definition.html + operating-model.html + architecture.html + kpis.html + roadmap.html + runbooks.html + templates.html + hybrid.html + + .github/ + workflows/ + ci.yml + ISSUE_TEMPLATE/ + bug_report.yml + doc_change.yml + service_request.yml + pull_request_template.md + +## 4) Content requirements for key docs (write them fully) + +### README.md (executive-level) +- 1-page: what this repo is, who it’s for, what problem it solves +- State “Cloud Security as a service/product”, not a toolset. +- Include: scope, non-scope, service boundaries, how to consume, quick navigation, how to use the site +- Include diagram preview (Mermaid) of service lifecycle +- Include “How this maps to ISO 27001 / CISSP at a high level” section (summary) + +### docs/01-service-definition.md +- Service mission, outcomes, customers/consumers +- Service boundaries (what we do / don’t do) +- Interfaces with: + - Cloud Platform Engineering + - SOC / SecOps + - Enterprise Risk & Compliance + - App teams + - ITSM +- A clear RACI table (Responsible/Accountable/Consulted/Informed) +- Intake model: service requests, exceptions, changes, incidents + +### docs/05-operating-model.md +- The operating model end-to-end: + - Plan (roadmap/backlog) + - Build (controls as code) + - Run (monitoring, incident response) + - Improve (metrics, retros) +- “Security should be boring, predictable, measurable” framing +- Define key ceremonies and cadences: + - Weekly ops review + - Monthly service review with platform leadership + - Quarterly risk review + - Annual audit readiness cycle +- Include escalation paths and “no hero culture” behavior + +### docs/07-metrics-and-kpis.md +- Define KPIs with: + - definition, formula, data sources, target, owner, reporting cadence +- Must include: + - policy compliance % + - MTTR for critical findings + - time-to-detect/time-to-contain (IR) + - privileged access exposure (PIM activations, standing admins) + - misconfiguration trend rate + - backup restore test success rate +- Add a brief SLA/SLO section with targets for core service capabilities. +- Include a sample dashboard mock (markdown table) and a “metrics anti-patterns” section + +### docs/08-roadmap-and-maturity.md +- Maturity phases: Foundation → Standardization → Automation → Optimization +- For each phase: outcomes, key initiatives, exit criteria, risks +- Show a 12-month sample roadmap (quarterly) + +### docs/11-incident-response.md +- IR lifecycle, severity model (SEV1-4) +- Roles: incident commander, comms lead, resolver, forensics, approver +- Playbooks, evidence capture, postmortems +- Include Mermaid flow: alert → triage → contain → eradicate → recover → learn + +### docs/12-change-and-release.md +- Change model: standard/normal/emergency +- Pre-approval rules, maintenance windows, risk assessment +- CAB-lite approach for cloud (fast but controlled) +- Include Mermaid flow and sample change request template link + +### docs/13-exception-handling.md +- Exception types (policy exception, risk acceptance, compensating controls) +- Required fields, expiry, review cadence, sign-off matrix +- Include Mermaid: request → assess → approve → implement compensating control → review/expire + +### docs/18-hybrid-azure-local.md +- Azure Arc onboarding, policy scope, logging pipeline +- Connectivity patterns (hub/spoke, firewall, private link where possible) +- “Azure Local” baseline checklist: identity, patching, EDR, logging forwarding, secrets +- Practical hybrid boundaries: what cloud security service owns vs local IT + +### docs/19-devsecops-pipelines.md +- Integrate security into CI/CD: + - SAST, dependency scan, IaC scan, secret scan + - gated deployments +- Define “definition of done” security controls +- Include example pipeline YAML snippets (generic) + +### docs/09-risk-management.md + docs/10-audit-readiness.md +- Risk register process, scoring method, review cadence +- Audit evidence model: “control → evidence → source → retention” +- ISO 27001 mapping table (high-level: domain → control intent → implementation examples) + +## 5) Mermaid diagrams (must generate all in docs/22-diagrams/*.mmd) +Make them clean, labeled, and consistent. + +Required diagrams: +- service-lifecycle.mmd (service as product lifecycle) +- security-operating-model.mmd (Plan/Build/Run/Improve) +- incident-response.mmd +- change-management.mmd +- exception-handling.mmd +- policy-as-code-loop.mmd (author → test → deploy → monitor drift → fix) +- hybrid-logging-architecture.mmd (Azure + Arc + on-prem logs → SIEM) +- shared-responsibility.mmd (provider vs customer layers) + +## 6) Implementation stubs (impl/*) +These are NOT production code; they are credible examples. + +### impl/azure/landing-zone +- Provide a README explaining: + - management group structure + - subscription topology + - identity/RBAC baseline + - hub/spoke network + - logging + sentinel + - policy assignments +- Provide minimal Bicep stubs with comments and parameters: + - identity.bicep (roles, PIM notes) + - network-hubspoke.bicep (hub vnet, firewall placeholder, private dns) + - logging-siem.bicep (log analytics workspace, diagnostic settings placeholders) + - keyvault.bicep (kv + RBAC) + - policy-assignments.bicep (assignment placeholders) +- Provide Terraform skeleton mirroring the above (empty modules with README per module) + +### impl/azure/policy-as-code +- Write JSON stubs for: + - iso27001-aligned-initiative.json (high-level grouping; do not reproduce ISO text) + - cloud-security-baseline-initiative.json (encryption, no public IP, diagnostics, tags) +- Provide assignment examples (mgmt group + subscription) +- Provide README describing testing approach and rollout strategy + +### impl/azure/sentinel +- Provide example analytic rule JSON stubs and playbook JSON stubs +- Provide README describing detection engineering workflow & tuning cadence + +### impl/hybrid/azure-arc +- Provide onboarding scripts (PowerShell + bash) that are SAFE placeholders: + - include parameter parsing, logging, and “TODO: add actual commands” + - do not include secrets +- Provide documentation of policy scope and logging forwarding patterns + +### impl/hybrid/azure-local +- Provide baseline-checklist.md and logging-forwarding.md with stepwise, generic guidance + +## 7) Agile artifacts (agile/*) +- Provide a realistic security backlog model: + - epics (Identity, Policy as Code, Sentinel, Hybrid, Data, IR, Governance) + - sample backlog items with acceptance criteria + - definition-of-done.md that includes security checks + - security-debt.md describing how to track “security debt” +- Provide ceremony templates and cadence +- Provide OKR examples aligned to measurable outcomes + +## 8) Templates (docs/21-templates) +Create real usable templates: +- CSV risk register (columns: id, title, description, likelihood, impact, score, owner, treatment, due date, status, last reviewed, evidence links) +- exception request md +- risk acceptance md +- incident report md +- postmortem md +- change request md +- service review md +- weekly security ops agenda md +- sprint ceremonies md +- kpi dashboard md + +## 9) HTML site (site/*) +Create a minimal docs site: +- left nav +- mobile friendly +- search (simple JS search over page titles or a small index array) +- Each page should summarize and link to the canonical markdown doc in /docs. +- Keep design clean and “internal documentation” style. +- No external dependencies required (no frameworks). Pure HTML/CSS/JS. + +## 10) GitHub hygiene + CI +### .github/workflows/ci.yml +Include: +- markdown lint (use a simple open-source action) +- link check (best-effort) +- verify Mermaid code blocks exist (basic grep) +- validate JSON formatting for policy stubs +Keep it stable and not overcomplicated. + +### templates +- Issue templates: bug, doc change, service request +- PR template with checklist: docs updated, diagrams updated, evidence links updated, security impact assessed + +## 11) Cross-linking and navigation +- docs/00-executive-overview.md links to everything +- docs index in README +- Each doc includes “Related docs” at bottom +- Diagrams referenced from relevant docs +- Each diagram should be referenced by at least one doc and the related doc should mention the diagram. + +## 12) Quality bar +- No fluff. Every section must answer: “what is it, who owns it, how does it work, how is success measured, how does it improve”. +- Use consistent terminology: + - “Service Manager” (role) + - “Cloud Security Service” (product) + - “Consumers” (app teams/platform teams) + - “Controls as Code” (policies, detections, baselines) + - “Evidence” (audit artifacts) +- Prefer explicit tables (RACI, KPIs, cadences, responsibilities). +- Include “anti-patterns” sections to show maturity (e.g., security as blocker, PDF policies, hero culture). +- Ensure Markdown content is lint-friendly and free of formatting artifacts. + +## 13) Execution steps (what you should do now) +1) Create all files and folders above. +2) Populate each file with full high-quality content. +3) Ensure internal links work. +4) Ensure Mermaid diagrams render (syntax correct). +5) Ensure CI YAML is valid. +6) Ensure repo reads like an enterprise internal wiki export. + +## 14) Deliverable completeness checklist (MUST satisfy) +- [ ] README is executive-grade and sets service-owner posture +- [ ] Service definition includes boundaries + RACI + interfaces +- [ ] Operating model includes cadence + escalation + predictable ops +- [ ] KPIs are defined with formulas and targets +- [ ] Roadmap/maturity is credible and phased +- [ ] IR, Change, Exception, Risk, Audit docs exist and are actionable +- [ ] Azure + Hybrid implementation stubs exist and are coherent +- [ ] Mermaid diagrams exist for all key flows +- [ ] Templates exist and are usable +- [ ] HTML site exists and links to docs +- [ ] GitHub CI + templates exist + +Proceed to generate the repo contents now. +If something is ambiguous, make a reasonable enterprise assumption and document it in `docs/00-executive-overview.md` under “Assumptions”. diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..c6730ee --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,24 @@ +# Code of Conduct + +This repository follows a simple, professional code of conduct to keep collaboration respectful and productive. + +## Our Standards + +- Be respectful and inclusive. +- Focus on the work and assume good intent. +- Give constructive feedback and accept it gracefully. +- Keep discussions professional and on-topic. + +## Unacceptable Behavior + +- Harassment, discrimination, or personal attacks. +- Doxing or sharing private information. +- Intimidation or sustained disruptive behavior. + +## Reporting + +If you experience or witness unacceptable behavior, open a private security advisory or contact the repository maintainers. + +## Enforcement + +Maintainers may take any action they deem appropriate, including removing content or restricting participation. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..e3407df --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,27 @@ +# Contributing + +Thank you for contributing to the Cloud Security Service Model repo. This project is documentation-first and aims to +reflect enterprise-grade practices. + +## How to Contribute + +1. Open an issue or service request describing the change. +2. Create a branch with a clear name (e.g., `docs/update-kpi-table`). +3. Keep edits concise and aligned with the service operating model. +4. Update related docs and diagrams when applicable. +5. Submit a pull request using the template. + +## Content Guidelines + +- Use clear, direct language. Avoid buzzwords and vendor-specific jargon. +- Use the terms “Cloud Security Service”, “Service Manager”, and “Controls as Code”. +- Include measurable outcomes and ownership where possible. +- Keep documentation public-safe and free of secrets or internal URLs. + +## Testing + +CI validates Markdown, links, Mermaid syntax, and JSON formatting. Run the checks locally if needed. + +## License + +By contributing, you agree that your contributions are licensed under the repository license. diff --git a/README.md b/README.md new file mode 100644 index 0000000..f20972f --- /dev/null +++ b/README.md @@ -0,0 +1,81 @@ +# cloud-security-service-model + +**Tagline:** A pragmatic, enterprise Cloud Security service operating model (Azure + Hybrid) + +## What this repo is +This repository is a public-safe, enterprise-grade operating model for a **Cloud Security Service** delivered as a +service/product. It defines scope, boundaries, governance, metrics, runbooks, and implementation stubs to help platform +and security leaders stand up a predictable, measurable cloud security capability. + +## Who it’s for +- Head of Cloud Platform Services +- Security leadership (CISO org) +- Cloud engineering leads +- Audit/compliance stakeholders + +## Problem it solves +Organizations often treat cloud security as a toolset. This repo reframes it as a **service** with clear ownership, +interfaces, measurable outcomes, and lifecycle management across Azure and hybrid/on-prem environments. + +## Scope +- Azure and hybrid coverage (Azure Arc and Azure Local/on-prem) +- Policy, identity, logging, incident response, and governance +- Controls as Code examples (policy, IaC, detection) + +## Non-scope +- Tenant-specific configurations or secrets +- Production-ready infrastructure code +- Vendor-specific operational details beyond Azure and hybrid scope + +## Service boundaries (summary) +- **We do:** define standards, manage policy-as-code, enable monitoring, coordinate incident response, provide evidence. +- **We don’t:** own app code, operate app teams’ pipelines, or run business application production on their behalf. + +## How to consume +1. Start with the executive overview and service definition. +2. Use the operating model and KPIs to set expectations. +3. Apply the templates and runbooks in operational workflows. +4. Extend implementation stubs in your own environment. + +## Quick navigation +- Executive overview: [`docs/00-executive-overview.md`](docs/00-executive-overview.md) +- Service definition: [`docs/01-service-definition.md`](docs/01-service-definition.md) +- Operating model: [`docs/05-operating-model.md`](docs/05-operating-model.md) +- Metrics & KPIs: [`docs/07-metrics-and-kpis.md`](docs/07-metrics-and-kpis.md) +- Roadmap & maturity: [`docs/08-roadmap-and-maturity.md`](docs/08-roadmap-and-maturity.md) +- Hybrid/Azure Local: [`docs/18-hybrid-azure-local.md`](docs/18-hybrid-azure-local.md) +- Runbooks: [`docs/20-runbooks/README.md`](docs/20-runbooks/README.md) +- Templates: [`docs/21-templates/README.md`](docs/21-templates/README.md) +- Diagrams: [`docs/22-diagrams/README.md`](docs/22-diagrams/README.md) +- Static site: [`docs/index.html`](docs/index.html) + +## Service lifecycle (preview) +```mermaid +graph LR + A[Discover Demand] --> B[Define Service] + B --> C[Build Controls as Code] + C --> D[Operate & Monitor] + D --> E[Measure & Improve] + E --> B +``` + +## ISO 27001 / CISSP mapping (high level) +- **ISO 27001**: The service model maps to control intent areas such as access control, logging, incident response, + change management, and risk treatment. See the mapping table in + [`docs/10-audit-readiness.md`](docs/10-audit-readiness.md). +- **CISSP domains**: Coverage spans Security & Risk Management, Asset Security, Security Engineering, IAM, Security + Assessment, Security Operations, and Software Development Security. See + [`docs/00-executive-overview.md`](docs/00-executive-overview.md). + +## Using the static site +Open [`docs/index.html`](docs/index.html) to browse a minimal HTML version of the content with navigation and search. + +## Repo structure +The repository includes: +- `/docs` — service model documentation and diagrams +- `/impl` — Azure and hybrid implementation stubs +- `/agile` — backlog, ceremonies, and metrics +- `/site` — lightweight static documentation site + +## License +See [`LICENSE`](LICENSE). diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..3f08fde --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,16 @@ +# Security Policy + +## Reporting a Vulnerability + +This repository is a documentation and reference model. If you believe a security issue exists in any provided +examples, open a private security advisory or contact the maintainers. + +Please include: +- A description of the issue +- Steps to reproduce (if applicable) +- Potential impact + +## Scope + +The content in this repo is non-production reference material. No live services or infrastructure are operated +from this repository. diff --git a/agile/README.md b/agile/README.md new file mode 100644 index 0000000..52ffa67 --- /dev/null +++ b/agile/README.md @@ -0,0 +1,9 @@ +# Agile Operating Model + +The Cloud Security Service is managed as a product with a prioritized backlog, measurable outcomes, and regular +ceremonies. + +## Contents +- Backlog: `backlog/` +- Ceremonies: `ceremonies/` +- Operating metrics: `operating-metrics/` diff --git a/agile/backlog/README.md b/agile/backlog/README.md new file mode 100644 index 0000000..32490d7 --- /dev/null +++ b/agile/backlog/README.md @@ -0,0 +1,9 @@ +# Backlog + +The backlog captures enhancements, defects, and operational improvements for the Cloud Security Service. + +## Contents +- Epics: `epics.md` +- Sample backlog items: `sample-backlog-items.md` +- Definition of done: `definition-of-done.md` +- Security debt: `security-debt.md` diff --git a/agile/backlog/definition-of-done.md b/agile/backlog/definition-of-done.md new file mode 100644 index 0000000..8356031 --- /dev/null +++ b/agile/backlog/definition-of-done.md @@ -0,0 +1,8 @@ +# Definition of Done + +- Requirements documented and approved. +- Security impact assessed. +- Controls as Code updated and tested. +- Logging and monitoring verified. +- Evidence captured for audit. +- Documentation updated. diff --git a/agile/backlog/epics.md b/agile/backlog/epics.md new file mode 100644 index 0000000..e969d52 --- /dev/null +++ b/agile/backlog/epics.md @@ -0,0 +1,9 @@ +# Epics + +1. **Identity Security** +2. **Policy as Code** +3. **Sentinel & Detection Engineering** +4. **Hybrid & Azure Arc** +5. **Data Protection & Key Management** +6. **Incident Response & Resilience** +7. **Governance & Audit Readiness** diff --git a/agile/backlog/sample-backlog-items.md b/agile/backlog/sample-backlog-items.md new file mode 100644 index 0000000..fdfa3f7 --- /dev/null +++ b/agile/backlog/sample-backlog-items.md @@ -0,0 +1,22 @@ +# Sample Backlog Items + +## Epic: Policy as Code +- **Story:** Implement baseline policy initiative for encryption and diagnostics. + - **Acceptance criteria:** + - Initiative JSON validated in CI + - Assigned at management group scope + - Compliance report available + +## Epic: Sentinel & Detection Engineering +- **Story:** Add impossible travel detection rule. + - **Acceptance criteria:** + - Rule authored and reviewed + - False positive rate < 5% after two weeks + - Runbook updated with triage steps + +## Epic: Hybrid & Azure Arc +- **Story:** Onboard 50 hybrid servers to Azure Arc. + - **Acceptance criteria:** + - Onboarding script used + - All resources tagged with owner and environment + - Logs visible in SIEM within 24 hours diff --git a/agile/backlog/security-debt.md b/agile/backlog/security-debt.md new file mode 100644 index 0000000..851a944 --- /dev/null +++ b/agile/backlog/security-debt.md @@ -0,0 +1,8 @@ +# Security Debt + +Security debt represents known security gaps that require remediation. + +## Tracking model +- Each debt item has a risk score and owner. +- Debt items are reviewed monthly. +- Items are prioritized based on risk and exposure. diff --git a/agile/ceremonies/daily-standup.md b/agile/ceremonies/daily-standup.md new file mode 100644 index 0000000..b927487 --- /dev/null +++ b/agile/ceremonies/daily-standup.md @@ -0,0 +1,5 @@ +# Daily Standup + +- What did you do yesterday? +- What will you do today? +- Any blockers? diff --git a/agile/ceremonies/retrospective.md b/agile/ceremonies/retrospective.md new file mode 100644 index 0000000..413e1d1 --- /dev/null +++ b/agile/ceremonies/retrospective.md @@ -0,0 +1,6 @@ +# Retrospective + +## Prompts +- What went well? +- What should improve? +- What will we change next sprint? diff --git a/agile/ceremonies/review-demo.md b/agile/ceremonies/review-demo.md new file mode 100644 index 0000000..0936300 --- /dev/null +++ b/agile/ceremonies/review-demo.md @@ -0,0 +1,6 @@ +# Review and Demo + +## Agenda +- Demonstrate completed work +- Review KPI impact +- Capture feedback diff --git a/agile/ceremonies/sprint-planning.md b/agile/ceremonies/sprint-planning.md new file mode 100644 index 0000000..d00049e --- /dev/null +++ b/agile/ceremonies/sprint-planning.md @@ -0,0 +1,6 @@ +# Sprint Planning + +## Agenda +- Review backlog priorities +- Confirm sprint goals +- Align on capacity diff --git a/agile/operating-metrics/kpi-cadence.md b/agile/operating-metrics/kpi-cadence.md new file mode 100644 index 0000000..de1c9a6 --- /dev/null +++ b/agile/operating-metrics/kpi-cadence.md @@ -0,0 +1,9 @@ +# KPI Cadence + +| KPI | Cadence | Owner | +| --- | --- | --- | +| Policy compliance % | Weekly | Service Manager | +| MTTR (critical) | Weekly | Remediation Lead | +| TTD/TTC | Weekly | SecOps | +| Privileged access exposure | Monthly | Identity Lead | +| Backup restore tests | Quarterly | Platform Ops | diff --git a/agile/operating-metrics/okrs.md b/agile/operating-metrics/okrs.md new file mode 100644 index 0000000..d7ef2b1 --- /dev/null +++ b/agile/operating-metrics/okrs.md @@ -0,0 +1,9 @@ +# OKRs + +## Objective 1: Improve policy compliance +- KR1: Achieve ≥ 95% baseline policy compliance +- KR2: Reduce misconfiguration trend by 10% quarter over quarter + +## Objective 2: Increase incident response effectiveness +- KR1: Meet TTD ≤ 15 minutes for SEV1/2 +- KR2: Meet TTC ≤ 4 hours for SEV1/2 diff --git a/docs/00-executive-overview.md b/docs/00-executive-overview.md new file mode 100644 index 0000000..a355f1c --- /dev/null +++ b/docs/00-executive-overview.md @@ -0,0 +1,79 @@ +# Executive Overview + +## Purpose +The Cloud Security Service provides a repeatable, measurable security capability across Azure and hybrid environments. +It is operated as a product with clear ownership, service boundaries, and a lifecycle that prioritizes stability and +predictability. + +## Audience +- Cloud Platform Services leadership +- Security leadership (CISO organization) +- Cloud engineering leads +- Audit and compliance stakeholders + +## What success looks like +- Policy compliance remains above agreed targets. +- Incident response is consistent, measurable, and auditable. +- Controls as Code are deployed, tested, and monitored for drift. +- Service outcomes are reviewed on a regular cadence and improved. + +## Assumptions +- The organization operates Azure and maintains hybrid/on-prem environments with Azure Arc. +- Centralized logging exists or is feasible via SIEM (e.g., Microsoft Sentinel). +- Identity is federated and privileged access is managed with just-in-time controls. + +## High-level capability map +- Governance & policy +- Identity & access +- Monitoring & detection +- Incident response +- Risk & audit readiness +- Hybrid posture management + +## Service lifecycle (visual) +```mermaid +flowchart LR + A[Discover Demand] --> B[Define Service] + B --> C[Design Controls] + C --> D[Build Controls as Code] + D --> E[Operate & Monitor] + E --> F[Measure & Improve] + F --> B +``` + +## Documentation index +- [`01-service-definition.md`](01-service-definition.md) +- [`02-service-catalog.md`](02-service-catalog.md) +- [`03-architecture-principles.md`](03-architecture-principles.md) +- [`04-reference-architecture.md`](04-reference-architecture.md) +- [`05-operating-model.md`](05-operating-model.md) +- [`06-governance-and-raic.md`](06-governance-and-raic.md) +- [`07-metrics-and-kpis.md`](07-metrics-and-kpis.md) +- [`08-roadmap-and-maturity.md`](08-roadmap-and-maturity.md) +- [`09-risk-management.md`](09-risk-management.md) +- [`10-audit-readiness.md`](10-audit-readiness.md) +- [`11-incident-response.md`](11-incident-response.md) +- [`12-change-and-release.md`](12-change-and-release.md) +- [`13-exception-handling.md`](13-exception-handling.md) +- [`14-vulnerability-management.md`](14-vulnerability-management.md) +- [`15-access-management.md`](15-access-management.md) +- [`16-logging-monitoring-siem.md`](16-logging-monitoring-siem.md) +- [`17-data-protection-and-keys.md`](17-data-protection-and-keys.md) +- [`18-hybrid-azure-local.md`](18-hybrid-azure-local.md) +- [`19-devsecops-pipelines.md`](19-devsecops-pipelines.md) +- [`20-runbooks/README.md`](20-runbooks/README.md) +- [`21-templates/README.md`](21-templates/README.md) +- [`22-diagrams/README.md`](22-diagrams/README.md) + +## Framework alignment (high level) +- **ISO 27001:2022**: control intent alignment for access control, logging, incident response, change management, and + risk treatment. +- **CISSP domains**: Security & Risk Management, Asset Security, Security Engineering, IAM, Security Assessment, + Security Operations, Software Development Security. +- **NIST-like IR lifecycle**: prepare, detect, contain, eradicate, recover, learn. + +## Related docs +- Service definition: [`01-service-definition.md`](01-service-definition.md) +- Operating model: [`05-operating-model.md`](05-operating-model.md) +- Audit readiness: [`10-audit-readiness.md`](10-audit-readiness.md) +- Hybrid/Azure Local: [`18-hybrid-azure-local.md`](18-hybrid-azure-local.md) diff --git a/docs/01-service-definition.md b/docs/01-service-definition.md new file mode 100644 index 0000000..c1a8ca7 --- /dev/null +++ b/docs/01-service-definition.md @@ -0,0 +1,56 @@ +# Service Definition + +## Mission +Deliver a stable, auditable Cloud Security Service that enables secure, compliant, and resilient cloud workloads across +Azure and hybrid environments. + +## Outcomes +- Measurable policy compliance and configuration hygiene. +- Reduced risk exposure through timely detection and remediation. +- Audit-ready evidence with defined ownership and retention. + +## Consumers +- Application teams +- Platform engineering +- Security operations +- Risk and compliance + +## Service boundaries +**We do** +- Define and manage security policy-as-code. +- Operate detection and alerting with a tuning cadence. +- Coordinate incident response and post-incident learning. +- Provide audit evidence and risk reporting. + +**We don’t** +- Own application runtime operations. +- Create business application code. +- Approve business risk on behalf of risk owners. + +## Interfaces +- **Cloud Platform Engineering:** landing zone standards, network patterns, identity baseline. +- **SOC / SecOps:** alert triage, incident response workflows, detection tuning. +- **Enterprise Risk & Compliance:** risk register, audit evidence, policy exceptions. +- **App teams:** policy exceptions, onboarding, remediation tasks. +- **ITSM:** change control, service requests, incident records. + +## RACI + +| Activity | Responsible | Accountable | Consulted | Informed | +| --- | --- | --- | --- | --- | +| Policy-as-code development | Cloud Security Service | Service Manager | Platform Engineering | App Teams | +| Policy exception approval | Risk Owner | CISO Delegate | Service Manager | App Teams | +| Incident response coordination | SecOps | Incident Commander | Service Manager | Stakeholders | +| Logging/SIEM onboarding | Cloud Security Service | Service Manager | Platform Engineering | App Teams | +| Audit evidence collection | Cloud Security Service | Service Manager | Compliance | Risk Owners | + +## Intake model +- **Service requests:** onboarding, logging, access reviews, baseline validations. +- **Exceptions:** policy exceptions, risk acceptance, compensating controls. +- **Changes:** standard, normal, emergency change paths. +- **Incidents:** triage, containment, eradication, recovery, lessons learned. + +## Related docs +- Operating model: [`05-operating-model.md`](05-operating-model.md) +- Exception handling: [`13-exception-handling.md`](13-exception-handling.md) +- Change management: [`12-change-and-release.md`](12-change-and-release.md) diff --git a/docs/02-service-catalog.md b/docs/02-service-catalog.md new file mode 100644 index 0000000..101be89 --- /dev/null +++ b/docs/02-service-catalog.md @@ -0,0 +1,21 @@ +# Service Catalog + +## Core services +| Service | Description | Owner | Key Outputs | +| --- | --- | --- | --- | +| Policy-as-Code | Baseline policies and initiatives for Azure and hybrid | Cloud Security Service | Policy initiatives, assignments, compliance reports | +| Identity Security | Privileged access and role hygiene | Cloud Security Service | PIM reports, role reviews, break-glass controls | +| Logging & SIEM | Centralized logging and detections | Cloud Security Service | Log onboarding, analytic rules, dashboards | +| Incident Response | Coordinated response for cloud incidents | SecOps | Incident records, postmortems, lessons learned | +| Risk & Audit | Evidence and risk reporting | Service Manager | Risk register, audit evidence packs | + +## Optional services +| Service | Description | Trigger | +| --- | --- | --- | +| Configuration Review | Targeted posture review for workloads | Quarterly reviews or upon request | +| Threat Modeling Support | Guided threat modeling for new services | Project intake | +| Architecture Review | Security architecture advisory | New platform features | + +## Related docs +- Operating model: [`05-operating-model.md`](05-operating-model.md) +- Metrics & KPIs: [`07-metrics-and-kpis.md`](07-metrics-and-kpis.md) diff --git a/docs/03-architecture-principles.md b/docs/03-architecture-principles.md new file mode 100644 index 0000000..80be87a --- /dev/null +++ b/docs/03-architecture-principles.md @@ -0,0 +1,20 @@ +# Architecture Principles + +## Principles +1. **Security should be boring, predictable, measurable.** +2. **Controls as Code** is the default for enforceable standards. +3. **Least privilege** is enforced with just-in-time access. +4. **Central logging** is required for all critical workloads. +5. **Hybrid parity**: on-prem/hybrid receives equivalent baseline coverage. +6. **Evidence by design**: build audit artifacts into processes. +7. **Segregation of duties** for critical change and approval paths. + +## Design implications +- Centralized policy assignments at management group level. +- Logging pipelines are standardized and monitored for gaps. +- Landing zones include baseline networking, identity, and monitoring. +- Exceptions are documented, time-bound, and reviewed. + +## Related docs +- Reference architecture: [`04-reference-architecture.md`](04-reference-architecture.md) +- Operating model: [`05-operating-model.md`](05-operating-model.md) diff --git a/docs/04-reference-architecture.md b/docs/04-reference-architecture.md new file mode 100644 index 0000000..7a243f9 --- /dev/null +++ b/docs/04-reference-architecture.md @@ -0,0 +1,37 @@ +# Reference Architecture + +## Overview +The reference architecture centers on standardized landing zones, centralized policy enforcement, and shared +logging/monitoring services. It supports Azure and hybrid assets via Azure Arc. + +## Key components +- **Management groups** with policy initiatives and guardrails. +- **Landing zones** with hub/spoke networking and shared services. +- **Centralized logging** via Log Analytics and SIEM. +- **Identity security** with PIM, break-glass accounts, and MFA. +- **Hybrid onboarding** via Azure Arc to maintain policy and logging scope. + +## Data flow summary +1. Policies are authored and tested in a controlled pipeline. +2. Assignments are deployed to management groups and subscriptions. +3. Logs are forwarded to SIEM for detection and response. +4. Evidence is stored and mapped to controls. + +## Shared responsibility (visual) +```mermaid +flowchart LR + A[Cloud Provider] --> B[Physical Security] + A --> C[Hypervisor] + A --> D[Core Services] + E[Customer] --> F[Identity] + E --> G[Data] + E --> H[Configuration] + E --> I[Applications] +``` + +## Diagram +Shared responsibility overview: [`22-diagrams/shared-responsibility.mmd`](22-diagrams/shared-responsibility.mmd) + +## Related docs +- Architecture principles: [`03-architecture-principles.md`](03-architecture-principles.md) +- Hybrid/Azure Local: [`18-hybrid-azure-local.md`](18-hybrid-azure-local.md) diff --git a/docs/05-operating-model.md b/docs/05-operating-model.md new file mode 100644 index 0000000..c3162be --- /dev/null +++ b/docs/05-operating-model.md @@ -0,0 +1,48 @@ +# Operating Model + +## End-to-end model +The Cloud Security Service operates in a continuous lifecycle: + +- **Plan:** roadmap, backlog grooming, risk assessment. +- **Build:** controls as code, policy updates, detection engineering. +- **Run:** monitoring, incident response, compliance reporting. +- **Improve:** retrospectives, KPI review, maturity evolution. + +## Operating model (visual) +```mermaid +flowchart LR + A[Plan] --> B[Build] + B --> C[Run] + C --> D[Improve] + D --> A +``` + +## Diagram +See the lifecycle model diagram: [`22-diagrams/security-operating-model.mmd`](22-diagrams/security-operating-model.mmd) + +## Guiding behavior +**Security should be boring, predictable, measurable.** We avoid hero culture and rely on documented processes, +repeatable controls, and shared accountability. + +## Ceremonies and cadence +| Ceremony | Cadence | Owner | Outputs | +| --- | --- | --- | --- | +| Weekly ops review | Weekly | Service Manager | KPI deltas, top risks, open incidents | +| Monthly service review | Monthly | Service Manager | roadmap updates, stakeholder feedback | +| Quarterly risk review | Quarterly | Risk Owner | risk register updates, exception renewals | +| Annual audit readiness | Annual | Compliance Lead | evidence packs, audit schedule | + +## Escalation paths +- **SEV1/SEV2 incidents:** immediate escalation to Incident Commander and Service Manager. +- **Policy exceptions:** escalate to risk owner when exceptions exceed 90 days or repeat. +- **Critical control failures:** escalate to platform leadership within 24 hours. + +## No hero culture +- Incidents require rotation-based on-call coverage. +- Postmortems focus on system fixes, not individual blame. +- Repeated manual fixes are converted into backlog items. + +## Related docs +- Metrics & KPIs: [`07-metrics-and-kpis.md`](07-metrics-and-kpis.md) +- Incident response: [`11-incident-response.md`](11-incident-response.md) +- Roadmap & maturity: [`08-roadmap-and-maturity.md`](08-roadmap-and-maturity.md) diff --git a/docs/06-governance-and-raic.md b/docs/06-governance-and-raic.md new file mode 100644 index 0000000..4d273a5 --- /dev/null +++ b/docs/06-governance-and-raic.md @@ -0,0 +1,22 @@ +# Governance and RAIC + +## Governance model +The Cloud Security Service is governed through service reviews, risk oversight, and policy change controls. Decisions are +documented and measurable, with clear ownership for approval and escalation. + +## RAIC model +RAIC is used for fast decision making: +- **Recommend:** Cloud Security Service proposes changes. +- **Approve:** Service Manager or delegated risk owner approves. +- **Implement:** Engineering teams execute changes. +- **Consult:** Risk, compliance, and platform stakeholders consulted. + +## Decision domains +- Policy baselines +- Exception approvals +- Incident response outcomes +- Roadmap priorities + +## Related docs +- Service definition: [`01-service-definition.md`](01-service-definition.md) +- Change management: [`12-change-and-release.md`](12-change-and-release.md) diff --git a/docs/07-metrics-and-kpis.md b/docs/07-metrics-and-kpis.md new file mode 100644 index 0000000..b7cab01 --- /dev/null +++ b/docs/07-metrics-and-kpis.md @@ -0,0 +1,42 @@ +# Metrics and KPIs + +## KPI catalog +| KPI | Definition | Formula | Data Sources | Target | Owner | Cadence | +| --- | --- | --- | --- | --- | --- | --- | +| Policy compliance % | Percentage of resources compliant with baseline policies | Compliant resources / total in scope | Policy compliance reports | ≥ 95% | Service Manager | Weekly | +| MTTR for critical findings | Time to remediate critical issues | Avg remediation time (days) | Ticketing/ITSM | ≤ 7 days | Remediation Lead | Weekly | +| Time-to-detect (TTD) | Time from event to detection | Avg detection time | SIEM | ≤ 15 minutes | SecOps | Weekly | +| Time-to-contain (TTC) | Time from detection to containment | Avg containment time | Incident records | ≤ 4 hours | Incident Commander | Weekly | +| Privileged access exposure | Standing admins and PIM activations | # standing admins + % JIT | IAM/PIM reports | 0 standing admins | Identity Lead | Monthly | +| Misconfiguration trend rate | Net change in policy violations | (New violations - remediated) / period | Policy compliance | Trending down | Service Manager | Monthly | +| Backup restore test success rate | Successful restore tests | Successful tests / total tests | Backup reports | ≥ 95% | Platform Ops | Quarterly | + +## SLA/SLO targets (service-level) +| Service area | SLA/SLO | Definition | Target | Owner | +| --- | --- | --- | --- | --- | +| Incident response | SLO | SEV1 acknowledgment time | ≤ 15 minutes | Incident Commander | +| Incident response | SLO | SEV1 containment time | ≤ 4 hours | Incident Commander | +| Policy service | SLA | Baseline policy update delivery | ≤ 10 business days | Service Manager | +| Logging onboarding | SLA | New workload log onboarding | ≤ 5 business days | Logging Lead | +| Exception handling | SLA | Exception review turnaround | ≤ 10 business days | Risk Owner | + +## Sample dashboard (mock) +| Metric | Current | Target | Status | +| --- | --- | --- | --- | +| Policy compliance % | 96.4% | ≥ 95% | On track | +| MTTR (critical) | 6.2 days | ≤ 7 days | On track | +| TTD | 12 min | ≤ 15 min | On track | +| TTC | 5.5 hours | ≤ 4 hours | Needs attention | +| Privileged access exposure | 2 standing admins | 0 | Needs attention | +| Misconfiguration trend | -4% | Decreasing | On track | +| Backup restore tests | 94% | ≥ 95% | At risk | + +## Metrics anti-patterns +- Reporting only activity (tickets closed) instead of outcomes. +- Averaging away SEV1/SEV2 incidents without severity weighting. +- No target or owner, leading to unowned metrics. +- Dashboards that are updated manually and inconsistently. + +## Related docs +- Operating model: [`05-operating-model.md`](05-operating-model.md) +- Roadmap & maturity: [`08-roadmap-and-maturity.md`](08-roadmap-and-maturity.md) diff --git a/docs/08-roadmap-and-maturity.md b/docs/08-roadmap-and-maturity.md new file mode 100644 index 0000000..6a39b77 --- /dev/null +++ b/docs/08-roadmap-and-maturity.md @@ -0,0 +1,39 @@ +# Roadmap and Maturity + +## Maturity phases + +### Foundation +**Outcomes:** baseline policy coverage, centralized logging, defined incident process. +**Key initiatives:** landing zone standards, policy-as-code v1, SIEM onboarding. +**Exit criteria:** ≥ 90% of subscriptions covered by baseline policies; IR playbooks tested. +**Risks:** fragmented ownership, low compliance adoption. + +### Standardization +**Outcomes:** consistent implementation across business units, improved evidence readiness. +**Key initiatives:** standardized templates, reporting cadence, exception workflows. +**Exit criteria:** KPI dashboard published monthly; exception backlog < 10 active items. +**Risks:** inconsistent change control, unmanaged exceptions. + +### Automation +**Outcomes:** automated enforcement and remediation. +**Key initiatives:** policy-as-code CI/CD, auto-remediation runbooks, drift monitoring. +**Exit criteria:** ≥ 70% of findings auto-remediated; TTD/TTC targets met. +**Risks:** tooling gaps, inadequate testing pipelines. + +### Optimization +**Outcomes:** continuous improvement and proactive risk reduction. +**Key initiatives:** predictive analytics, advanced detection tuning, cost optimization. +**Exit criteria:** KPI targets consistently met for 2+ quarters. +**Risks:** complacency, reduced focus on hygiene. + +## Sample 12-month roadmap +| Quarter | Focus | Key Deliverables | +| --- | --- | --- | +| Q1 | Foundation | Landing zone baseline, policy-as-code MVP, SIEM onboarding | +| Q2 | Standardization | KPI dashboard, exception workflow, runbook adoption | +| Q3 | Automation | CI/CD for policies, automated remediation, drift monitoring | +| Q4 | Optimization | Advanced analytics, SLO tuning, audit readiness improvements | + +## Related docs +- Metrics & KPIs: [`07-metrics-and-kpis.md`](07-metrics-and-kpis.md) +- Operating model: [`05-operating-model.md`](05-operating-model.md) diff --git a/docs/09-risk-management.md b/docs/09-risk-management.md new file mode 100644 index 0000000..711b34c --- /dev/null +++ b/docs/09-risk-management.md @@ -0,0 +1,27 @@ +# Risk Management + +## Risk register process +1. Identify risks during service reviews, assessments, or incidents. +2. Score risks using likelihood and impact. +3. Assign an owner and treatment plan. +4. Track and review on a quarterly cadence. + +## Scoring method +- **Likelihood:** 1 (rare) to 5 (frequent) +- **Impact:** 1 (low) to 5 (severe) +- **Score:** Likelihood × Impact + +## Treatment options +- Mitigate (reduce likelihood/impact) +- Transfer (e.g., insurance) +- Accept (risk acceptance with sign-off) +- Avoid (change approach) + +## Review cadence +- Monthly service review: top 5 risks +- Quarterly risk review: full register +- Annual audit readiness: evidence validation + +## Related docs +- Audit readiness: [`10-audit-readiness.md`](10-audit-readiness.md) +- Exception handling: [`13-exception-handling.md`](13-exception-handling.md) diff --git a/docs/10-audit-readiness.md b/docs/10-audit-readiness.md new file mode 100644 index 0000000..6c41f0e --- /dev/null +++ b/docs/10-audit-readiness.md @@ -0,0 +1,30 @@ +# Audit Readiness + +## Evidence model +| Control area | Evidence | Source | Retention | +| --- | --- | --- | --- | +| Access control | PIM activation logs, role review reports | IAM/PIM | 1 year | +| Logging | SIEM ingestion reports, log retention policy | SIEM, Log Analytics | 1 year | +| Incident response | Incident records, postmortems | ITSM/SecOps | 2 years | +| Change management | Change tickets, approvals | ITSM | 2 years | +| Policy compliance | Compliance reports, policy assignments | Policy dashboard | 1 year | + +## ISO 27001:2022 mapping (high level) +| ISO domain | Control intent | Implementation examples | +| --- | --- | --- | +| Access control | Ensure least privilege and privileged access management | PIM, break-glass monitoring | +| Asset management | Maintain inventory and classification | Resource tagging, inventory reports | +| Logging & monitoring | Detect events and maintain evidence | Centralized logging, SIEM analytics | +| Incident management | Timely response and recovery | IR playbooks, evidence capture | +| Change management | Controlled changes to security posture | Change request workflow, CAB-lite | +| Risk management | Identify and treat security risks | Risk register, exception handling | + +## Audit readiness checklist +- Evidence sources documented for each control intent. +- Retention periods meet regulatory obligations. +- Evidence is reviewable and immutable. +- Exception register is current and signed off. + +## Related docs +- Risk management: [`09-risk-management.md`](09-risk-management.md) +- Incident response: [`11-incident-response.md`](11-incident-response.md) diff --git a/docs/11-incident-response.md b/docs/11-incident-response.md new file mode 100644 index 0000000..0459000 --- /dev/null +++ b/docs/11-incident-response.md @@ -0,0 +1,44 @@ +# Incident Response + +## Lifecycle +Prepare → Detect → Contain → Eradicate → Recover → Learn + +## Severity model +| Severity | Description | Example | +| --- | --- | --- | +| SEV1 | Critical impact to multiple services or regulatory exposure | Widespread credential compromise | +| SEV2 | High impact to a single critical service | Exposure of sensitive workload | +| SEV3 | Moderate impact or limited scope | Misconfiguration without data loss | +| SEV4 | Low impact, informational | Non-blocking alert | + +## Roles +- **Incident Commander:** overall coordination and decision making. +- **Comms Lead:** stakeholder updates and communications. +- **Resolver:** technical remediation owner. +- **Forensics Lead:** evidence collection and analysis. +- **Approver:** risk owner for major actions. + +## Playbooks and evidence +- Follow runbooks for triage and containment. +- Capture evidence in a centralized case folder. +- Conduct a postmortem within 5 business days. + +## Incident flow +```mermaid +flowchart LR + A[Alert] --> B[Triage] + B --> C{Severity} + C -->|SEV1/2| D[Contain] + C -->|SEV3/4| E[Remediate] + D --> F[Eradicate] + F --> G[Recover] + G --> H[Postmortem] + E --> H +``` + +## Diagram +See the dedicated incident response diagram: [`22-diagrams/incident-response.mmd`](22-diagrams/incident-response.mmd) + +## Related docs +- Runbooks: [`20-runbooks/README.md`](20-runbooks/README.md) +- Change management: [`12-change-and-release.md`](12-change-and-release.md) diff --git a/docs/12-change-and-release.md b/docs/12-change-and-release.md new file mode 100644 index 0000000..ed12eb7 --- /dev/null +++ b/docs/12-change-and-release.md @@ -0,0 +1,40 @@ +# Change and Release + +## Change model +- **Standard:** pre-approved, low risk. +- **Normal:** requires assessment and approval. +- **Emergency:** expedited with post-change review. + +## Pre-approval rules +- Changes must have a rollback plan. +- Security impact assessed for any policy or identity change. +- Maintenance windows applied to production changes. + +## CAB-lite approach +Cloud changes use a lightweight CAB for speed with control. Approval is delegated to the Service Manager for +standardized changes. + +## Change flow +```mermaid +flowchart LR + A[Change Request] --> B[Assess Risk] + B --> C{Change Type} + C -->|Standard| D[Auto-Approve] + C -->|Normal| E[Approve] + C -->|Emergency| F[Expedite] + D --> G[Implement] + E --> G + F --> G + G --> H[Verify] + H --> I[Close] +``` + +## Diagram +See the change management diagram: [`22-diagrams/change-management.mmd`](22-diagrams/change-management.mmd) + +## Templates +- Change request: [`21-templates/template-change-request.md`](21-templates/template-change-request.md) + +## Related docs +- Exception handling: [`13-exception-handling.md`](13-exception-handling.md) +- Runbooks: [`20-runbooks/README.md`](20-runbooks/README.md) diff --git a/docs/13-exception-handling.md b/docs/13-exception-handling.md new file mode 100644 index 0000000..4948f03 --- /dev/null +++ b/docs/13-exception-handling.md @@ -0,0 +1,34 @@ +# Exception Handling + +## Exception types +- **Policy exception:** temporary deviation from baseline policy. +- **Risk acceptance:** risk owner accepts a known risk. +- **Compensating controls:** alternative measures to reduce risk. + +## Required fields +- Business justification +- Impacted assets +- Compensating controls +- Expiry date +- Sign-off matrix + +## Review cadence +- Exceptions reviewed every 90 days. +- Expired exceptions trigger escalation to risk owner. + +## Exception flow +```mermaid +flowchart LR + A[Request] --> B[Assess] + B --> C{Approve?} + C -->|Yes| D[Implement Compensating Control] + C -->|No| E[Reject] + D --> F[Review/Expire] +``` + +## Diagram +See the exception handling diagram: [`22-diagrams/exception-handling.mmd`](22-diagrams/exception-handling.mmd) + +## Related docs +- Risk management: [`09-risk-management.md`](09-risk-management.md) +- Templates: [`21-templates/template-exception-request.md`](21-templates/template-exception-request.md) diff --git a/docs/14-vulnerability-management.md b/docs/14-vulnerability-management.md new file mode 100644 index 0000000..7d9d53c --- /dev/null +++ b/docs/14-vulnerability-management.md @@ -0,0 +1,23 @@ +# Vulnerability Management + +## Objectives +- Detect, prioritize, and remediate vulnerabilities on a defined cadence. +- Measure remediation effectiveness and repeatability. + +## Process +1. Discover vulnerabilities via scanning and advisories. +2. Prioritize based on severity, exposure, and asset criticality. +3. Remediate or accept risk with documented exceptions. +4. Verify fixes and update evidence. + +## SLAs +| Severity | Target remediation | +| --- | --- | +| Critical | 7 days | +| High | 14 days | +| Medium | 30 days | +| Low | 90 days | + +## Related docs +- Incident response: [`11-incident-response.md`](11-incident-response.md) +- Risk management: [`09-risk-management.md`](09-risk-management.md) diff --git a/docs/15-access-management.md b/docs/15-access-management.md new file mode 100644 index 0000000..d56a636 --- /dev/null +++ b/docs/15-access-management.md @@ -0,0 +1,20 @@ +# Access Management + +## Principles +- Least privilege by default. +- Just-in-time access for privileged roles. +- MFA required for administrative access. + +## Controls +- Privileged Identity Management (PIM) for elevated roles. +- Quarterly role reviews for critical subscriptions. +- Break-glass accounts monitored and restricted. + +## Evidence +- PIM activation logs +- Role review reports +- Access recertification records + +## Related docs +- Metrics & KPIs: [`07-metrics-and-kpis.md`](07-metrics-and-kpis.md) +- Incident response: [`11-incident-response.md`](11-incident-response.md) diff --git a/docs/16-logging-monitoring-siem.md b/docs/16-logging-monitoring-siem.md new file mode 100644 index 0000000..9f3d5db --- /dev/null +++ b/docs/16-logging-monitoring-siem.md @@ -0,0 +1,31 @@ +# Logging, Monitoring, and SIEM + +## Logging requirements +- All production workloads must forward security logs to SIEM. +- Diagnostic settings are enforced via policy. +- Retention aligns with audit requirements. + +## Monitoring model +- Detections are built and maintained as code. +- Alerts follow a tuning cadence to reduce noise. +- Metrics are tracked for detection effectiveness. + +## Hybrid logging +Azure Arc-enabled servers forward logs to centralized SIEM with consistent tags and retention. + +## Hybrid logging architecture (visual) +```mermaid +flowchart LR + A[Azure Resources] --> B[Log Analytics] + C[Arc-enabled Servers] --> B + D[Azure Local] --> E[Log Forwarder] + E --> B + B --> F[SIEM] +``` + +## Diagram +Hybrid logging architecture: [`22-diagrams/hybrid-logging-architecture.mmd`](22-diagrams/hybrid-logging-architecture.mmd) + +## Related docs +- Hybrid/Azure Local: [`18-hybrid-azure-local.md`](18-hybrid-azure-local.md) +- Incident response: [`11-incident-response.md`](11-incident-response.md) diff --git a/docs/17-data-protection-and-keys.md b/docs/17-data-protection-and-keys.md new file mode 100644 index 0000000..6199462 --- /dev/null +++ b/docs/17-data-protection-and-keys.md @@ -0,0 +1,19 @@ +# Data Protection and Keys + +## Objectives +- Protect data in transit and at rest. +- Standardize key management and rotation. + +## Controls +- Encryption at rest for storage and databases. +- TLS 1.2+ for data in transit. +- Centralized key management with RBAC and audit logs. + +## Key management +- Keys stored in a managed vault service. +- Rotation enforced annually or upon compromise. +- Access reviewed quarterly. + +## Related docs +- Access management: [`15-access-management.md`](15-access-management.md) +- Logging & SIEM: [`16-logging-monitoring-siem.md`](16-logging-monitoring-siem.md) diff --git a/docs/18-hybrid-azure-local.md b/docs/18-hybrid-azure-local.md new file mode 100644 index 0000000..3814aec --- /dev/null +++ b/docs/18-hybrid-azure-local.md @@ -0,0 +1,35 @@ +# Hybrid and Azure Local + +## Azure Arc onboarding +- Standard onboarding scripts are used for Windows and Linux. +- Assets are tagged for ownership and environment. +- Policy scope ensures the same baseline for cloud and hybrid. + +## Policy scope +- Management group policies apply to Arc-enabled servers. +- Exceptions must be time-bound and approved. + +## Logging pipeline +- Forward logs from Arc-enabled servers to SIEM. +- Validate data flow with a test query and alert. + +## Connectivity patterns +- Hub/spoke with centralized firewall controls. +- Private link where available; otherwise, restricted outbound. +- Dedicated management subnets for hybrid connectivity. + +## Azure Local baseline checklist +- **Identity:** federated identity and MFA for admin access. +- **Patching:** defined patch cadence and verification. +- **EDR:** endpoint detection and response installed. +- **Logging:** forwarding enabled with retention. +- **Secrets:** stored in a managed vault with rotation. + +## Practical hybrid boundaries +- Cloud Security Service owns baseline policy and logging. +- Local IT owns physical infrastructure and local admin operations. +- Shared responsibility for incident response and evidence. + +## Related docs +- Logging & SIEM: [`16-logging-monitoring-siem.md`](16-logging-monitoring-siem.md) +- Policy-as-code: [`../impl/azure/policy-as-code/README.md`](../impl/azure/policy-as-code/README.md) diff --git a/docs/19-devsecops-pipelines.md b/docs/19-devsecops-pipelines.md new file mode 100644 index 0000000..f3aca0f --- /dev/null +++ b/docs/19-devsecops-pipelines.md @@ -0,0 +1,55 @@ +# DevSecOps Pipelines + +## Security integration +- **SAST:** scan application code for vulnerabilities. +- **Dependency scan:** check third-party libraries for CVEs. +- **IaC scan:** validate Terraform/Bicep templates for misconfigurations. +- **Secret scan:** prevent accidental credential exposure. +- **Gated deployments:** block releases on critical findings. + +## Definition of done (security) +- No critical vulnerabilities open. +- Policy compliance checks passed. +- Secrets scan shows no leaked credentials. +- Logging and monitoring enabled. + +## Example pipeline snippets + +```yaml +# Example: security checks stage +steps: + - name: sast + run: ./tools/run-sast.sh + - name: dependency-scan + run: ./tools/dependency-scan.sh + - name: iac-scan + run: ./tools/iac-scan.sh + - name: secret-scan + run: ./tools/secret-scan.sh +``` + +```yaml +# Example: gated deployment +steps: + - name: deploy + run: ./tools/deploy.sh + - name: validate-policy + run: ./tools/policy-validate.sh +``` + +## Policy-as-code loop (visual) +```mermaid +flowchart LR + A[Author] --> B[Test] + B --> C[Deploy] + C --> D[Monitor Drift] + D --> E[Fix] + E --> A +``` + +## Diagram +Policy-as-code lifecycle: [`22-diagrams/policy-as-code-loop.mmd`](22-diagrams/policy-as-code-loop.mmd) + +## Related docs +- Operating model: [`05-operating-model.md`](05-operating-model.md) +- Templates: [`21-templates/template-sprint-ceremonies.md`](21-templates/template-sprint-ceremonies.md) diff --git a/docs/20-runbooks/README.md b/docs/20-runbooks/README.md new file mode 100644 index 0000000..4f37a74 --- /dev/null +++ b/docs/20-runbooks/README.md @@ -0,0 +1,11 @@ +# Runbooks + +Runbooks are operational guides for the Cloud Security Service. They are designed for repeatability and audit readiness. + +## Index +- [`rbk-001-incident-triage.md`](rbk-001-incident-triage.md) +- [`rbk-002-critical-vuln-response.md`](rbk-002-critical-vuln-response.md) +- [`rbk-003-policy-drift-remediation.md`](rbk-003-policy-drift-remediation.md) +- [`rbk-004-breakglass-access.md`](rbk-004-breakglass-access.md) +- [`rbk-005-azure-arc-onboarding.md`](rbk-005-azure-arc-onboarding.md) +- [`rbk-006-sentinel-detection-tuning.md`](rbk-006-sentinel-detection-tuning.md) diff --git a/docs/20-runbooks/rbk-001-incident-triage.md b/docs/20-runbooks/rbk-001-incident-triage.md new file mode 100644 index 0000000..5e37b3f --- /dev/null +++ b/docs/20-runbooks/rbk-001-incident-triage.md @@ -0,0 +1,16 @@ +# RBK-001 Incident Triage + +## Purpose +Provide a consistent approach to triage security alerts. + +## Steps +1. Validate alert source and confidence. +2. Determine severity using the SEV model. +3. Assign incident commander for SEV1/2. +4. Open incident record and begin evidence capture. +5. Execute containment or escalation as required. + +## Evidence +- Alert details and timestamps +- Initial triage notes +- Assigned owner diff --git a/docs/20-runbooks/rbk-002-critical-vuln-response.md b/docs/20-runbooks/rbk-002-critical-vuln-response.md new file mode 100644 index 0000000..00813a1 --- /dev/null +++ b/docs/20-runbooks/rbk-002-critical-vuln-response.md @@ -0,0 +1,16 @@ +# RBK-002 Critical Vulnerability Response + +## Purpose +Coordinate response to critical vulnerabilities affecting cloud or hybrid workloads. + +## Steps +1. Validate vulnerability source and affected assets. +2. Assess exposure and prioritize based on criticality. +3. Open remediation ticket and notify asset owner. +4. Apply mitigation or patch within SLA. +5. Verify remediation and update evidence. + +## Evidence +- Advisory and CVE references +- Asset list and remediation status +- Verification logs diff --git a/docs/20-runbooks/rbk-003-policy-drift-remediation.md b/docs/20-runbooks/rbk-003-policy-drift-remediation.md new file mode 100644 index 0000000..8cf000e --- /dev/null +++ b/docs/20-runbooks/rbk-003-policy-drift-remediation.md @@ -0,0 +1,16 @@ +# RBK-003 Policy Drift Remediation + +## Purpose +Detect and remediate policy drift from baseline configurations. + +## Steps +1. Review compliance report for drifted resources. +2. Validate if drift is an approved exception. +3. Notify resource owner and open remediation task. +4. Apply remediation or enforce policy. +5. Confirm compliance and close ticket. + +## Evidence +- Compliance report +- Exception reference (if applicable) +- Remediation confirmation diff --git a/docs/20-runbooks/rbk-004-breakglass-access.md b/docs/20-runbooks/rbk-004-breakglass-access.md new file mode 100644 index 0000000..45a2e99 --- /dev/null +++ b/docs/20-runbooks/rbk-004-breakglass-access.md @@ -0,0 +1,16 @@ +# RBK-004 Break-Glass Access + +## Purpose +Provide controlled emergency access procedures. + +## Steps +1. Validate emergency request and incident linkage. +2. Approver authorizes break-glass use. +3. Enable access for a limited time window. +4. Capture all actions in audit logs. +5. Disable access and perform review. + +## Evidence +- Approval record +- Access logs +- Post-use review diff --git a/docs/20-runbooks/rbk-005-azure-arc-onboarding.md b/docs/20-runbooks/rbk-005-azure-arc-onboarding.md new file mode 100644 index 0000000..c8cd89b --- /dev/null +++ b/docs/20-runbooks/rbk-005-azure-arc-onboarding.md @@ -0,0 +1,16 @@ +# RBK-005 Azure Arc Onboarding + +## Purpose +Onboard hybrid servers to Azure Arc with consistent policy and logging. + +## Steps +1. Validate connectivity and prerequisites. +2. Run approved onboarding script (PowerShell or Bash). +3. Tag resources for ownership and environment. +4. Validate policy compliance and log forwarding. +5. Document onboarding evidence. + +## Evidence +- Onboarding logs +- Policy compliance snapshot +- Log ingestion validation diff --git a/docs/20-runbooks/rbk-006-sentinel-detection-tuning.md b/docs/20-runbooks/rbk-006-sentinel-detection-tuning.md new file mode 100644 index 0000000..64df237 --- /dev/null +++ b/docs/20-runbooks/rbk-006-sentinel-detection-tuning.md @@ -0,0 +1,16 @@ +# RBK-006 Sentinel Detection Tuning + +## Purpose +Maintain signal quality and reduce alert noise. + +## Steps +1. Review alert volume and false positive rate. +2. Update analytic rules and thresholds. +3. Validate detections in a test workspace. +4. Deploy changes via pipeline. +5. Monitor impact for 2 weeks. + +## Evidence +- Tuning changeset +- Validation results +- Post-change metrics diff --git a/docs/21-templates/README.md b/docs/21-templates/README.md new file mode 100644 index 0000000..aba5942 --- /dev/null +++ b/docs/21-templates/README.md @@ -0,0 +1,15 @@ +# Templates + +Templates support consistent documentation and operational workflows. + +## Index +- Risk register CSV: `template-risk-register.csv` +- Exception request: `template-exception-request.md` +- Risk acceptance: `template-risk-acceptance.md` +- Incident report: `template-incident-report.md` +- Postmortem: `template-postmortem.md` +- Change request: `template-change-request.md` +- Service review: `template-service-review.md` +- Weekly security ops: `template-weekly-security-ops.md` +- Sprint ceremonies: `template-sprint-ceremonies.md` +- KPI dashboard: `template-kpi-dashboard.md` diff --git a/docs/21-templates/template-change-request.md b/docs/21-templates/template-change-request.md new file mode 100644 index 0000000..9ee73b0 --- /dev/null +++ b/docs/21-templates/template-change-request.md @@ -0,0 +1,19 @@ +# Change Request + +## Summary +- **Requestor:** +- **Date:** +- **Change type:** Standard / Normal / Emergency +- **Affected services:** + +## Risk assessment +- **Impact:** +- **Likelihood:** +- **Rollback plan:** + +## Approval +- **Approver:** +- **Decision:** Approved / Rejected + +## Implementation details + diff --git a/docs/21-templates/template-exception-request.md b/docs/21-templates/template-exception-request.md new file mode 100644 index 0000000..88c8e82 --- /dev/null +++ b/docs/21-templates/template-exception-request.md @@ -0,0 +1,23 @@ +# Exception Request + +## Request details +- **Requester:** +- **Date:** +- **Business unit:** +- **Asset(s):** + +## Exception type +- [ ] Policy exception +- [ ] Risk acceptance +- [ ] Compensating controls + +## Justification + +## Compensating controls + +## Expiry date + +## Risk owner approval +- **Name:** +- **Date:** +- **Decision:** Approved / Rejected diff --git a/docs/21-templates/template-incident-report.md b/docs/21-templates/template-incident-report.md new file mode 100644 index 0000000..b8d65ce --- /dev/null +++ b/docs/21-templates/template-incident-report.md @@ -0,0 +1,22 @@ +# Incident Report + +## Summary +- **Incident ID:** +- **Date/time:** +- **Severity:** +- **Incident commander:** + +## Timeline +- Detection: +- Containment: +- Eradication: +- Recovery: + +## Impact + +## Root cause + +## Remediation + +## Evidence links + diff --git a/docs/21-templates/template-kpi-dashboard.md b/docs/21-templates/template-kpi-dashboard.md new file mode 100644 index 0000000..d305d05 --- /dev/null +++ b/docs/21-templates/template-kpi-dashboard.md @@ -0,0 +1,11 @@ +# KPI Dashboard + +| KPI | Current | Target | Owner | Status | +| --- | --- | --- | --- | --- | +| Policy compliance % | | ≥ 95% | Service Manager | | +| MTTR (critical) | | ≤ 7 days | Remediation Lead | | +| TTD | | ≤ 15 min | SecOps | | +| TTC | | ≤ 4 hours | Incident Commander | | +| Privileged access exposure | | 0 standing admins | Identity Lead | | +| Misconfiguration trend | | Decreasing | Service Manager | | +| Backup restore tests | | ≥ 95% | Platform Ops | | diff --git a/docs/21-templates/template-postmortem.md b/docs/21-templates/template-postmortem.md new file mode 100644 index 0000000..17dca34 --- /dev/null +++ b/docs/21-templates/template-postmortem.md @@ -0,0 +1,16 @@ +# Postmortem + +## Summary + +## What happened + +## Why it happened (root causes) + +## What went well + +## What didn’t go well + +## Action items +| Action | Owner | Due date | Status | +| --- | --- | --- | --- | + diff --git a/docs/21-templates/template-risk-acceptance.md b/docs/21-templates/template-risk-acceptance.md new file mode 100644 index 0000000..13b8170 --- /dev/null +++ b/docs/21-templates/template-risk-acceptance.md @@ -0,0 +1,17 @@ +# Risk Acceptance + +## Risk summary +- **Risk ID:** +- **Title:** +- **Description:** +- **Likelihood / Impact / Score:** + +## Decision +- **Accepted by:** +- **Date:** +- **Expiry:** + +## Rationale + +## Monitoring plan + diff --git a/docs/21-templates/template-risk-register.csv b/docs/21-templates/template-risk-register.csv new file mode 100644 index 0000000..978d76d --- /dev/null +++ b/docs/21-templates/template-risk-register.csv @@ -0,0 +1,2 @@ +id,title,description,likelihood,impact,score,owner,treatment,due_date,status,last_reviewed,evidence_links +R-001,Sample risk,Example description,3,4,12,Service Manager,Mitigate,2025-03-31,Open,2025-01-15,link diff --git a/docs/21-templates/template-service-review.md b/docs/21-templates/template-service-review.md new file mode 100644 index 0000000..bfcf4e4 --- /dev/null +++ b/docs/21-templates/template-service-review.md @@ -0,0 +1,12 @@ +# Service Review + +## Review period + +## KPI summary + +## Risks and exceptions + +## Incidents and changes + +## Decisions and actions + diff --git a/docs/21-templates/template-sprint-ceremonies.md b/docs/21-templates/template-sprint-ceremonies.md new file mode 100644 index 0000000..5f7ac2e --- /dev/null +++ b/docs/21-templates/template-sprint-ceremonies.md @@ -0,0 +1,18 @@ +# Sprint Ceremonies Template + +## Sprint planning +- Goals +- Capacity +- Backlog items + +## Daily standup +- Yesterday / Today / Blockers + +## Review & demo +- Delivered items +- KPI impacts + +## Retrospective +- What went well +- What to improve +- Actions diff --git a/docs/21-templates/template-weekly-security-ops.md b/docs/21-templates/template-weekly-security-ops.md new file mode 100644 index 0000000..b92a6b6 --- /dev/null +++ b/docs/21-templates/template-weekly-security-ops.md @@ -0,0 +1,12 @@ +# Weekly Security Ops Agenda + +## Metrics review + +## Incidents and escalations + +## Exceptions and risk updates + +## Upcoming changes + +## Action items + diff --git a/docs/22-diagrams/README.md b/docs/22-diagrams/README.md new file mode 100644 index 0000000..8230d1e --- /dev/null +++ b/docs/22-diagrams/README.md @@ -0,0 +1,13 @@ +# Diagrams + +Mermaid diagrams supporting key flows and lifecycle models. + +## Index +- `service-lifecycle.mmd` +- `security-operating-model.mmd` +- `incident-response.mmd` +- `change-management.mmd` +- `exception-handling.mmd` +- `policy-as-code-loop.mmd` +- `hybrid-logging-architecture.mmd` +- `shared-responsibility.mmd` diff --git a/docs/22-diagrams/change-management.mmd b/docs/22-diagrams/change-management.mmd new file mode 100644 index 0000000..3b47eb3 --- /dev/null +++ b/docs/22-diagrams/change-management.mmd @@ -0,0 +1,10 @@ +flowchart LR + A[Change Request] --> B[Risk Assessment] + B --> C{Type} + C -->|Standard| D[Auto-Approve] + C -->|Normal| E[Approve] + C -->|Emergency| F[Expedite] + D --> G[Implement] + E --> G + F --> G + G --> H[Verify & Close] diff --git a/docs/22-diagrams/exception-handling.mmd b/docs/22-diagrams/exception-handling.mmd new file mode 100644 index 0000000..f79f72b --- /dev/null +++ b/docs/22-diagrams/exception-handling.mmd @@ -0,0 +1,6 @@ +flowchart LR + A[Request] --> B[Assess] + B --> C{Approve?} + C -->|Yes| D[Compensating Controls] + C -->|No| E[Reject] + D --> F[Review/Expire] diff --git a/docs/22-diagrams/hybrid-logging-architecture.mmd b/docs/22-diagrams/hybrid-logging-architecture.mmd new file mode 100644 index 0000000..9d49b87 --- /dev/null +++ b/docs/22-diagrams/hybrid-logging-architecture.mmd @@ -0,0 +1,6 @@ +flowchart LR + A[Azure Resources] --> B[Log Analytics] + C[Arc-enabled Servers] --> B + D[Azure Local] --> E[Log Forwarder] + E --> B + B --> F[SIEM] diff --git a/docs/22-diagrams/incident-response.mmd b/docs/22-diagrams/incident-response.mmd new file mode 100644 index 0000000..70825e8 --- /dev/null +++ b/docs/22-diagrams/incident-response.mmd @@ -0,0 +1,9 @@ +flowchart LR + A[Alert] --> B[Triage] + B --> C{Severity} + C -->|SEV1/2| D[Contain] + C -->|SEV3/4| E[Remediate] + D --> F[Eradicate] + F --> G[Recover] + G --> H[Learn] + E --> H diff --git a/docs/22-diagrams/policy-as-code-loop.mmd b/docs/22-diagrams/policy-as-code-loop.mmd new file mode 100644 index 0000000..8f6edff --- /dev/null +++ b/docs/22-diagrams/policy-as-code-loop.mmd @@ -0,0 +1,6 @@ +flowchart LR + A[Author] --> B[Test] + B --> C[Deploy] + C --> D[Monitor Drift] + D --> E[Fix] + E --> A diff --git a/docs/22-diagrams/security-operating-model.mmd b/docs/22-diagrams/security-operating-model.mmd new file mode 100644 index 0000000..3a41b18 --- /dev/null +++ b/docs/22-diagrams/security-operating-model.mmd @@ -0,0 +1,5 @@ +flowchart LR + A[Plan] --> B[Build] + B --> C[Run] + C --> D[Improve] + D --> A diff --git a/docs/22-diagrams/service-lifecycle.mmd b/docs/22-diagrams/service-lifecycle.mmd new file mode 100644 index 0000000..00bb9b9 --- /dev/null +++ b/docs/22-diagrams/service-lifecycle.mmd @@ -0,0 +1,7 @@ +flowchart LR + A[Discover Demand] --> B[Define Service] + B --> C[Design Controls] + C --> D[Build Controls as Code] + D --> E[Operate & Monitor] + E --> F[Measure & Improve] + F --> B diff --git a/docs/22-diagrams/shared-responsibility.mmd b/docs/22-diagrams/shared-responsibility.mmd new file mode 100644 index 0000000..6fe8b9b --- /dev/null +++ b/docs/22-diagrams/shared-responsibility.mmd @@ -0,0 +1,8 @@ +flowchart LR + A[Cloud Provider] --> B[Physical Security] + A --> C[Hypervisor] + A --> D[Core Services] + E[Customer] --> F[Identity] + E --> G[Data] + E --> H[Configuration] + E --> I[Applications] diff --git a/docs/assets/app.js b/docs/assets/app.js new file mode 100644 index 0000000..7257f88 --- /dev/null +++ b/docs/assets/app.js @@ -0,0 +1,63 @@ +const pageDefinitions = [ + { title: "Overview", path: "pages/overview.html" }, + { title: "Service Definition", path: "pages/service-definition.html" }, + { title: "Operating Model", path: "pages/operating-model.html" }, + { title: "Architecture", path: "pages/architecture.html" }, + { title: "KPIs", path: "pages/kpis.html" }, + { title: "Roadmap", path: "pages/roadmap.html" }, + { title: "Runbooks", path: "pages/runbooks.html" }, + { title: "Templates", path: "pages/templates.html" }, + { title: "Hybrid", path: "pages/hybrid.html" } +]; + +function getBasePath() { + let path = window.location.pathname; + if (path.endsWith("/")) { + path = path.slice(0, -1); + } + if (path.endsWith("/index.html")) { + path = path.slice(0, -"/index.html".length); + } + if (path.includes("/pages/")) { + path = path.split("/pages/")[0]; + } + return path || ""; +} + +function resolveHref(targetPath) { + const basePath = getBasePath(); + const trimmedBase = basePath.replace(/\/$/, ""); + return `${trimmedBase}/${targetPath}`; +} + +function buildNav() { + const nav = document.getElementById("nav-links"); + pageDefinitions.forEach((page) => { + const link = document.createElement("a"); + link.href = resolveHref(page.path); + link.textContent = page.title; + nav.appendChild(link); + }); +} + +function setupSearch() { + const input = document.getElementById("search"); + if (!input) return; + input.addEventListener("input", (event) => { + const query = event.target.value.toLowerCase(); + const results = pageDefinitions.filter((page) => + page.title.toLowerCase().includes(query) + ); + const nav = document.getElementById("nav-links"); + nav.innerHTML = ""; + results.forEach((page) => { + const link = document.createElement("a"); + link.href = resolveHref(page.path); + link.textContent = page.title; + nav.appendChild(link); + }); + }); +} + +buildNav(); +setupSearch(); diff --git a/docs/assets/style.css b/docs/assets/style.css new file mode 100644 index 0000000..0ee9c39 --- /dev/null +++ b/docs/assets/style.css @@ -0,0 +1,80 @@ +:root { + --bg: #f7f9fb; + --text: #1f2933; + --nav: #ffffff; + --accent: #0b5cab; +} + +* { + box-sizing: border-box; +} + +body { + margin: 0; + font-family: Arial, sans-serif; + color: var(--text); + background: var(--bg); +} + +header { + background: var(--nav); + padding: 1rem 1.5rem; + border-bottom: 1px solid #e0e6ed; +} + +.container { + display: flex; + min-height: calc(100vh - 60px); +} + +nav { + width: 260px; + background: var(--nav); + border-right: 1px solid #e0e6ed; + padding: 1rem; +} + +main { + flex: 1; + padding: 2rem; +} + +nav a { + display: block; + color: var(--text); + text-decoration: none; + padding: 0.4rem 0; +} + +nav a:hover { + color: var(--accent); +} + +.search { + margin-bottom: 1rem; +} + +.search input { + width: 100%; + padding: 0.5rem; + border: 1px solid #ccd6e0; + border-radius: 4px; +} + +.card { + background: white; + padding: 1rem; + border-radius: 6px; + border: 1px solid #e0e6ed; + margin-bottom: 1rem; +} + +@media (max-width: 900px) { + .container { + flex-direction: column; + } + + nav { + width: 100%; + } +} diff --git a/docs/index.html b/docs/index.html new file mode 100644 index 0000000..d1f99ab --- /dev/null +++ b/docs/index.html @@ -0,0 +1,39 @@ + + + + + + Cloud Security Service Model + + + +
+ Cloud Security Service Model +
Azure + Hybrid operating model
+
+
+ +
+
+

Overview

+

+ This site summarizes the enterprise Cloud Security Service operating model. The canonical source of truth + is the Markdown documentation in the docs/ folder. +

+

+ Start with the executive overview and service definition to understand scope, boundaries, and ownership. +

+

+ Go to overview +

+
+
+
+ + + diff --git a/docs/pages/architecture.html b/docs/pages/architecture.html new file mode 100644 index 0000000..51bad0e --- /dev/null +++ b/docs/pages/architecture.html @@ -0,0 +1,31 @@ + + + + + + Architecture + + + +
+ Architecture +
+
+ +
+
+

Architecture

+

Principles and reference architecture for the Cloud Security Service.

+

Architecture principles

+

Reference architecture

+
+
+
+ + + diff --git a/docs/pages/hybrid.html b/docs/pages/hybrid.html new file mode 100644 index 0000000..4962cf4 --- /dev/null +++ b/docs/pages/hybrid.html @@ -0,0 +1,30 @@ + + + + + + Hybrid + + + +
+ Hybrid and Azure Local +
+
+ +
+
+

Hybrid

+

Guidance for Azure Arc onboarding and Azure Local baseline controls.

+

View Markdown doc

+
+
+
+ + + diff --git a/docs/pages/kpis.html b/docs/pages/kpis.html new file mode 100644 index 0000000..aab6694 --- /dev/null +++ b/docs/pages/kpis.html @@ -0,0 +1,30 @@ + + + + + + KPIs + + + +
+ KPIs +
+
+ +
+
+

Metrics and KPIs

+

Definitions, formulas, targets, and ownership for key metrics.

+

View Markdown doc

+
+
+
+ + + diff --git a/docs/pages/operating-model.html b/docs/pages/operating-model.html new file mode 100644 index 0000000..aa84a57 --- /dev/null +++ b/docs/pages/operating-model.html @@ -0,0 +1,30 @@ + + + + + + Operating Model + + + +
+ Operating Model +
+
+ +
+
+

Operating Model

+

Plan, build, run, and improve with defined cadence and escalation paths.

+

View Markdown doc

+
+
+
+ + + diff --git a/docs/pages/overview.html b/docs/pages/overview.html new file mode 100644 index 0000000..ea1ead4 --- /dev/null +++ b/docs/pages/overview.html @@ -0,0 +1,30 @@ + + + + + + Overview + + + +
+ Overview +
+
+ +
+
+

Executive Overview

+

High-level purpose, assumptions, and framework alignment.

+

View Markdown doc

+
+
+
+ + + diff --git a/docs/pages/roadmap.html b/docs/pages/roadmap.html new file mode 100644 index 0000000..569e5e3 --- /dev/null +++ b/docs/pages/roadmap.html @@ -0,0 +1,30 @@ + + + + + + Roadmap + + + +
+ Roadmap +
+
+ +
+
+

Roadmap and Maturity

+

Phased maturity model with a sample 12-month roadmap.

+

View Markdown doc

+
+
+
+ + + diff --git a/docs/pages/runbooks.html b/docs/pages/runbooks.html new file mode 100644 index 0000000..49f28d3 --- /dev/null +++ b/docs/pages/runbooks.html @@ -0,0 +1,30 @@ + + + + + + Runbooks + + + +
+ Runbooks +
+
+ +
+
+

Runbooks

+

Operational guides for triage, remediation, and onboarding.

+

View Markdown runbook index

+
+
+
+ + + diff --git a/docs/pages/service-definition.html b/docs/pages/service-definition.html new file mode 100644 index 0000000..fb0f8e0 --- /dev/null +++ b/docs/pages/service-definition.html @@ -0,0 +1,30 @@ + + + + + + Service Definition + + + +
+ Service Definition +
+
+ +
+
+

Service Definition

+

Mission, outcomes, boundaries, and RACI for the Cloud Security Service.

+

View Markdown doc

+
+
+
+ + + diff --git a/docs/pages/templates.html b/docs/pages/templates.html new file mode 100644 index 0000000..8ddc86f --- /dev/null +++ b/docs/pages/templates.html @@ -0,0 +1,30 @@ + + + + + + Templates + + + +
+ Templates +
+
+ +
+
+

Templates

+

Usable templates for risk, incidents, change requests, and service reviews.

+

View Markdown template index

+
+
+
+ + + diff --git a/impl/azure/landing-zone/README.md b/impl/azure/landing-zone/README.md new file mode 100644 index 0000000..3ec33ce --- /dev/null +++ b/impl/azure/landing-zone/README.md @@ -0,0 +1,36 @@ +# Azure Landing Zone (Stub) + +## Management group structure +- Root management group + - Platform + - Landing Zones + - Sandbox (optional) + +## Subscription topology +- Connectivity subscription (hub) +- Identity subscription +- Management subscription (logging/monitoring) +- Workload subscriptions (spokes) + +## Identity/RBAC baseline +- Privileged roles use PIM +- Break-glass accounts monitored +- Role assignments scoped to least privilege + +## Network hub/spoke +- Hub VNet with firewall and shared services +- Spoke VNets per workload +- Private DNS and private endpoints where feasible + +## Logging + SIEM +- Log Analytics workspace in management subscription +- Diagnostic settings enforced via policy +- Sentinel (or equivalent SIEM) for detections + +## Policy assignments +- Baseline policy initiative at management group level +- Workload-specific initiatives at subscription level + +## Related +- Bicep stubs in `bicep/` +- Terraform skeleton in `terraform/` diff --git a/impl/azure/landing-zone/bicep/main.bicep b/impl/azure/landing-zone/bicep/main.bicep new file mode 100644 index 0000000..db8c33f --- /dev/null +++ b/impl/azure/landing-zone/bicep/main.bicep @@ -0,0 +1,37 @@ +// Entry point for landing zone deployment (stub) +param location string = 'eastus' + +module identity 'modules/identity.bicep' = { + name: 'identity' + params: { + location: location + } +} + +module network 'modules/network-hubspoke.bicep' = { + name: 'network' + params: { + location: location + } +} + +module logging 'modules/logging-siem.bicep' = { + name: 'logging' + params: { + location: location + } +} + +module keyvault 'modules/keyvault.bicep' = { + name: 'keyvault' + params: { + location: location + } +} + +module policies 'modules/policy-assignments.bicep' = { + name: 'policies' + params: { + location: location + } +} diff --git a/impl/azure/landing-zone/bicep/modules/identity.bicep b/impl/azure/landing-zone/bicep/modules/identity.bicep new file mode 100644 index 0000000..987121b --- /dev/null +++ b/impl/azure/landing-zone/bicep/modules/identity.bicep @@ -0,0 +1,5 @@ +param location string + +// TODO: Define identity resources (managed identities, role assignments) +// Notes: Use PIM for privileged roles and enforce least privilege. +output identityBaseline string = 'identity-baseline-stub' diff --git a/impl/azure/landing-zone/bicep/modules/keyvault.bicep b/impl/azure/landing-zone/bicep/modules/keyvault.bicep new file mode 100644 index 0000000..0dbd595 --- /dev/null +++ b/impl/azure/landing-zone/bicep/modules/keyvault.bicep @@ -0,0 +1,4 @@ +param location string + +// TODO: Define Key Vault with RBAC model. +output keyVaultBaseline string = 'keyvault-stub' diff --git a/impl/azure/landing-zone/bicep/modules/logging-siem.bicep b/impl/azure/landing-zone/bicep/modules/logging-siem.bicep new file mode 100644 index 0000000..136d169 --- /dev/null +++ b/impl/azure/landing-zone/bicep/modules/logging-siem.bicep @@ -0,0 +1,4 @@ +param location string + +// TODO: Define Log Analytics workspace and diagnostic settings placeholders. +output loggingBaseline string = 'logging-siem-stub' diff --git a/impl/azure/landing-zone/bicep/modules/network-hubspoke.bicep b/impl/azure/landing-zone/bicep/modules/network-hubspoke.bicep new file mode 100644 index 0000000..64e4dd9 --- /dev/null +++ b/impl/azure/landing-zone/bicep/modules/network-hubspoke.bicep @@ -0,0 +1,4 @@ +param location string + +// TODO: Define hub VNet, spokes, firewall placeholder, private DNS zones. +output networkBaseline string = 'network-hubspoke-stub' diff --git a/impl/azure/landing-zone/bicep/modules/policy-assignments.bicep b/impl/azure/landing-zone/bicep/modules/policy-assignments.bicep new file mode 100644 index 0000000..26ae5b5 --- /dev/null +++ b/impl/azure/landing-zone/bicep/modules/policy-assignments.bicep @@ -0,0 +1,4 @@ +param location string + +// TODO: Define policy assignment placeholders at management group and subscription levels. +output policyAssignments string = 'policy-assignments-stub' diff --git a/impl/azure/landing-zone/terraform/README.md b/impl/azure/landing-zone/terraform/README.md new file mode 100644 index 0000000..1352933 --- /dev/null +++ b/impl/azure/landing-zone/terraform/README.md @@ -0,0 +1,12 @@ +# Terraform Landing Zone (Skeleton) + +This Terraform structure mirrors the Bicep modules. Modules are intentionally empty placeholders. + +## Modules +- identity +- network +- logging +- policies + +## Usage +Populate each module with required resources and wiring as needed. diff --git a/impl/azure/landing-zone/terraform/main.tf b/impl/azure/landing-zone/terraform/main.tf new file mode 100644 index 0000000..297e9fd --- /dev/null +++ b/impl/azure/landing-zone/terraform/main.tf @@ -0,0 +1,21 @@ +// Terraform landing zone skeleton + +terraform { + required_version = ">= 1.5.0" +} + +module "identity" { + source = "./modules/identity" +} + +module "network" { + source = "./modules/network" +} + +module "logging" { + source = "./modules/logging" +} + +module "policies" { + source = "./modules/policies" +} diff --git a/impl/azure/landing-zone/terraform/modules/identity/README.md b/impl/azure/landing-zone/terraform/modules/identity/README.md new file mode 100644 index 0000000..b3b1fd5 --- /dev/null +++ b/impl/azure/landing-zone/terraform/modules/identity/README.md @@ -0,0 +1,3 @@ +# Module Placeholder + +This module is intentionally empty. Add resources and outputs as needed. diff --git a/impl/azure/landing-zone/terraform/modules/logging/README.md b/impl/azure/landing-zone/terraform/modules/logging/README.md new file mode 100644 index 0000000..b3b1fd5 --- /dev/null +++ b/impl/azure/landing-zone/terraform/modules/logging/README.md @@ -0,0 +1,3 @@ +# Module Placeholder + +This module is intentionally empty. Add resources and outputs as needed. diff --git a/impl/azure/landing-zone/terraform/modules/network/README.md b/impl/azure/landing-zone/terraform/modules/network/README.md new file mode 100644 index 0000000..b3b1fd5 --- /dev/null +++ b/impl/azure/landing-zone/terraform/modules/network/README.md @@ -0,0 +1,3 @@ +# Module Placeholder + +This module is intentionally empty. Add resources and outputs as needed. diff --git a/impl/azure/landing-zone/terraform/modules/policies/README.md b/impl/azure/landing-zone/terraform/modules/policies/README.md new file mode 100644 index 0000000..b3b1fd5 --- /dev/null +++ b/impl/azure/landing-zone/terraform/modules/policies/README.md @@ -0,0 +1,3 @@ +# Module Placeholder + +This module is intentionally empty. Add resources and outputs as needed. diff --git a/impl/azure/policy-as-code/README.md b/impl/azure/policy-as-code/README.md new file mode 100644 index 0000000..c1ae2eb --- /dev/null +++ b/impl/azure/policy-as-code/README.md @@ -0,0 +1,20 @@ +# Policy as Code + +## Overview +Policy initiatives define a baseline for cloud security. Assignments are applied at management group or subscription +scope. This repository includes stub JSON to demonstrate structure. + +## Testing approach +- Validate JSON schema with CI formatting checks. +- Test initiatives in a non-production management group. +- Roll out in phases: pilot → extended → enterprise. + +## Rollout strategy +1. Author and review in a feature branch. +2. Test compliance in a pilot scope. +3. Expand scope with staged approvals. +4. Monitor drift and remediate exceptions. + +## Related +- Initiatives: `initiatives/` +- Assignments: `assignments/` diff --git a/impl/azure/policy-as-code/assignments/mgmt-group-assignment.example.json b/impl/azure/policy-as-code/assignments/mgmt-group-assignment.example.json new file mode 100644 index 0000000..fe82731 --- /dev/null +++ b/impl/azure/policy-as-code/assignments/mgmt-group-assignment.example.json @@ -0,0 +1,9 @@ +{ + "name": "mgmt-group-baseline-assignment", + "properties": { + "displayName": "Management Group Baseline Assignment", + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/cloud-security-baseline-initiative", + "scope": "/providers/Microsoft.Management/managementGroups/contoso-mg", + "parameters": {} + } +} diff --git a/impl/azure/policy-as-code/assignments/subscription-assignment.example.json b/impl/azure/policy-as-code/assignments/subscription-assignment.example.json new file mode 100644 index 0000000..c8a1e1e --- /dev/null +++ b/impl/azure/policy-as-code/assignments/subscription-assignment.example.json @@ -0,0 +1,9 @@ +{ + "name": "subscription-baseline-assignment", + "properties": { + "displayName": "Subscription Baseline Assignment", + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/iso27001-aligned-initiative", + "scope": "/subscriptions/00000000-0000-0000-0000-000000000000", + "parameters": {} + } +} diff --git a/impl/azure/policy-as-code/initiatives/cloud-security-baseline-initiative.json b/impl/azure/policy-as-code/initiatives/cloud-security-baseline-initiative.json new file mode 100644 index 0000000..05ddf67 --- /dev/null +++ b/impl/azure/policy-as-code/initiatives/cloud-security-baseline-initiative.json @@ -0,0 +1,33 @@ +{ + "name": "cloud-security-baseline-initiative", + "properties": { + "displayName": "Cloud Security Baseline", + "description": "Baseline controls for encryption, diagnostics, and network exposure.", + "metadata": { + "category": "Security" + }, + "parameters": {}, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "encryption-required", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/encryption-required-stub", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "no-public-ip", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/no-public-ip-stub", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "diagnostics-enabled", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/diagnostics-enabled-stub", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "required-tags", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/required-tags-stub", + "parameters": {} + } + ] + } +} diff --git a/impl/azure/policy-as-code/initiatives/iso27001-aligned-initiative.json b/impl/azure/policy-as-code/initiatives/iso27001-aligned-initiative.json new file mode 100644 index 0000000..8af733a --- /dev/null +++ b/impl/azure/policy-as-code/initiatives/iso27001-aligned-initiative.json @@ -0,0 +1,28 @@ +{ + "name": "iso27001-aligned-initiative", + "properties": { + "displayName": "ISO 27001 Aligned Security Baseline", + "description": "High-level alignment to ISO 27001 control intent (summary only).", + "metadata": { + "category": "Security" + }, + "parameters": {}, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "access-control", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/access-control-stub", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "logging-monitoring", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/logging-monitoring-stub", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "change-management", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/change-management-stub", + "parameters": {} + } + ] + } +} diff --git a/impl/azure/sentinel/README.md b/impl/azure/sentinel/README.md new file mode 100644 index 0000000..545dece --- /dev/null +++ b/impl/azure/sentinel/README.md @@ -0,0 +1,17 @@ +# Sentinel (Stub) + +## Detection engineering workflow +1. Identify detection requirement. +2. Author analytic rule in a test workspace. +3. Peer review and validate logic. +4. Deploy to production via pipeline. +5. Review alert quality monthly. + +## Tuning cadence +- Weekly review of false positives. +- Monthly review of detection coverage. +- Quarterly review aligned to threat landscape updates. + +## Contents +- Analytic rules in `analytic-rules/` +- Playbook stubs in `playbooks/` diff --git a/impl/azure/sentinel/analytic-rules/impossible-travel.example.json b/impl/azure/sentinel/analytic-rules/impossible-travel.example.json new file mode 100644 index 0000000..f7bce68 --- /dev/null +++ b/impl/azure/sentinel/analytic-rules/impossible-travel.example.json @@ -0,0 +1,9 @@ +{ + "name": "Impossible Travel", + "properties": { + "description": "Detects sign-ins from geographically impossible locations.", + "query": "// TODO: add KQL query", + "severity": "Medium", + "enabled": true + } +} diff --git a/impl/azure/sentinel/analytic-rules/suspicious-admin-activity.example.json b/impl/azure/sentinel/analytic-rules/suspicious-admin-activity.example.json new file mode 100644 index 0000000..4528e9f --- /dev/null +++ b/impl/azure/sentinel/analytic-rules/suspicious-admin-activity.example.json @@ -0,0 +1,9 @@ +{ + "name": "Suspicious Admin Activity", + "properties": { + "description": "Detects unusual privileged actions.", + "query": "// TODO: add KQL query", + "severity": "High", + "enabled": true + } +} diff --git a/impl/azure/sentinel/playbooks/disable-user.example.json b/impl/azure/sentinel/playbooks/disable-user.example.json new file mode 100644 index 0000000..7ee458b --- /dev/null +++ b/impl/azure/sentinel/playbooks/disable-user.example.json @@ -0,0 +1,7 @@ +{ + "name": "Disable User", + "properties": { + "description": "Stub playbook to disable a user account.", + "workflow": "// TODO: add Logic App definition" + } +} diff --git a/impl/azure/sentinel/playbooks/isolate-vm.example.json b/impl/azure/sentinel/playbooks/isolate-vm.example.json new file mode 100644 index 0000000..7e86481 --- /dev/null +++ b/impl/azure/sentinel/playbooks/isolate-vm.example.json @@ -0,0 +1,7 @@ +{ + "name": "Isolate VM", + "properties": { + "description": "Stub playbook to isolate a VM.", + "workflow": "// TODO: add Logic App definition" + } +} diff --git a/impl/hybrid/azure-arc/README.md b/impl/hybrid/azure-arc/README.md new file mode 100644 index 0000000..c41de6b --- /dev/null +++ b/impl/hybrid/azure-arc/README.md @@ -0,0 +1,9 @@ +# Azure Arc (Hybrid) + +## Overview +Azure Arc onboarding enables consistent policy and logging for hybrid servers. Scripts provided here are safe +placeholders and must be updated with actual commands. + +## Contents +- Onboarding scripts: `onboarding/` +- Policy scope guidance: `policy-scope/arc-policy-scope.md` diff --git a/impl/hybrid/azure-arc/onboarding/arc-onboard.ps1 b/impl/hybrid/azure-arc/onboarding/arc-onboard.ps1 new file mode 100644 index 0000000..b59c186 --- /dev/null +++ b/impl/hybrid/azure-arc/onboarding/arc-onboard.ps1 @@ -0,0 +1,13 @@ +Param( + [Parameter(Mandatory=$true)][string]$ResourceGroup, + [Parameter(Mandatory=$true)][string]$Region, + [Parameter(Mandatory=$true)][string]$SubscriptionId +) + +$logFile = "arc-onboard.log" +"Starting Azure Arc onboarding stub" | Tee-Object -FilePath $logFile -Append +"ResourceGroup: $ResourceGroup" | Tee-Object -FilePath $logFile -Append +"Region: $Region" | Tee-Object -FilePath $logFile -Append +"SubscriptionId: $SubscriptionId" | Tee-Object -FilePath $logFile -Append + +Write-Output "TODO: add actual Azure Arc onboarding commands" diff --git a/impl/hybrid/azure-arc/onboarding/arc-onboard.sh b/impl/hybrid/azure-arc/onboarding/arc-onboard.sh new file mode 100644 index 0000000..ef9637a --- /dev/null +++ b/impl/hybrid/azure-arc/onboarding/arc-onboard.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +set -euo pipefail + +RESOURCE_GROUP="${1:-}" +REGION="${2:-}" +SUBSCRIPTION_ID="${3:-}" + +if [[ -z "$RESOURCE_GROUP" || -z "$REGION" || -z "$SUBSCRIPTION_ID" ]]; then + echo "Usage: ./arc-onboard.sh " + exit 1 +fi + +LOG_FILE="arc-onboard.log" +{ + echo "Starting Azure Arc onboarding stub" + echo "ResourceGroup: $RESOURCE_GROUP" + echo "Region: $REGION" + echo "SubscriptionId: $SUBSCRIPTION_ID" + echo "TODO: add actual Azure Arc onboarding commands" +} | tee -a "$LOG_FILE" diff --git a/impl/hybrid/azure-arc/policy-scope/arc-policy-scope.md b/impl/hybrid/azure-arc/policy-scope/arc-policy-scope.md new file mode 100644 index 0000000..bdeb465 --- /dev/null +++ b/impl/hybrid/azure-arc/policy-scope/arc-policy-scope.md @@ -0,0 +1,10 @@ +# Azure Arc Policy Scope + +## Scope guidance +- Apply baseline initiatives at the management group level. +- Ensure Arc-enabled servers inherit the same policy set. +- Tag Arc resources with owner, environment, and business unit. + +## Logging requirements +- Diagnostic settings must forward security logs to SIEM. +- Validate ingestion with a test query and alert. diff --git a/impl/hybrid/azure-local/README.md b/impl/hybrid/azure-local/README.md new file mode 100644 index 0000000..52b47a4 --- /dev/null +++ b/impl/hybrid/azure-local/README.md @@ -0,0 +1,9 @@ +# Azure Local + +## Overview +Azure Local environments require baseline security controls similar to cloud resources. The Cloud Security Service +provides guidance and evidence expectations. + +## Contents +- `secure-baseline/baseline-checklist.md` +- `secure-baseline/logging-forwarding.md` diff --git a/impl/hybrid/azure-local/secure-baseline/baseline-checklist.md b/impl/hybrid/azure-local/secure-baseline/baseline-checklist.md new file mode 100644 index 0000000..f4db22a --- /dev/null +++ b/impl/hybrid/azure-local/secure-baseline/baseline-checklist.md @@ -0,0 +1,21 @@ +# Azure Local Baseline Checklist + +## Identity +- MFA for administrative access +- Role-based access with least privilege + +## Patching +- Monthly patch cycle with emergency updates as needed +- Verification and reporting + +## EDR +- Endpoint protection deployed and monitored +- Alerts forwarded to SIEM + +## Logging +- System and security logs forwarded to SIEM +- Retention aligned to audit needs + +## Secrets +- Secrets stored in a managed vault +- Rotation policy documented diff --git a/impl/hybrid/azure-local/secure-baseline/logging-forwarding.md b/impl/hybrid/azure-local/secure-baseline/logging-forwarding.md new file mode 100644 index 0000000..4ccc859 --- /dev/null +++ b/impl/hybrid/azure-local/secure-baseline/logging-forwarding.md @@ -0,0 +1,7 @@ +# Logging Forwarding (Azure Local) + +## Steps +1. Configure log collectors on Azure Local hosts. +2. Forward logs to centralized SIEM endpoint. +3. Validate ingestion with test events. +4. Document retention and access controls.