Skip to contentCYBERINFO
|

Control 8.27 : Secure System Architecture and Engineering Principles

Summary

Principles for engineering secure systems should be established, documented, maintained and applied to any information system integration activities. This ensures that systems are built using proven patterns that prioritize security, such as defense-in-depth and least privilege.

Applicability

In-Scope: Mandatory for any organization managing cloud infrastructure (Azure/M365). It ensures that the overall technical ecosystem is designed to be resilient against attack and easy to manage from a security perspective.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

  • Zero Trust Architecture: Implement the Microsoft Zero Trust framework, which assumes breach and verifies every access request based on identity, device health, and environmental context.

  • Resource Tagging: Use Azure Policy to enforce the tagging of all cloud resources by sensitivity and ownership, ensuring that engineering principles are applied consistently across the environment.

  • Automated Guardrails: Utilize Azure Blueprints or Infrastructure as Code (Bicep/Terraform) to deploy standardized, secure-by-default environments that adhere to the organization's architecture standards.

Evidence Checklist

  • Architecture Standards: Documented principles for system design (e.g., mandatory network segmentation, use of managed identities).

  • Design Review Records: Minutes or sign-off documents from security architects for new system deployments.

  • Compliance Logs: Evidence from Azure Policy or Secure Score showing that deployed systems align with the established engineering principles.

Practical Audit Advice

Here are some questions the auditor might ask:

  • How are secure-by-design principles, such as the Principle of Least Privilege, physically reflected in your Azure resource configurations?

  • What process is in place to review the security architecture of a legacy system that is being migrated to the cloud?

  • Can you demonstrate how you use automated tools to prevent the deployment of insecure resources (e.g., a storage bucket with public access)?

  • Who is responsible for maintaining and updating the organization's technical architecture standards as new threats emerge?