The reference architecture centers on standardized landing zones, centralized policy enforcement, and shared logging/monitoring services. It supports Azure and hybrid assets via Azure Arc.
- Management groups with policy initiatives and guardrails.
- Landing zones with hub/spoke networking and shared services.
- Centralized logging via Log Analytics and SIEM.
- Identity security with PIM, break-glass accounts, and MFA.
- Hybrid onboarding via Azure Arc to maintain policy and logging scope.
- Policies are authored and tested in a controlled pipeline.
- Assignments are deployed to management groups and subscriptions.
- Logs are forwarded to SIEM for detection and response.
- Evidence is stored and mapped to controls.
flowchart LR
A[Cloud Provider] --> B[Physical Security]
A --> C[Hypervisor]
A --> D[Core Services]
E[Customer] --> F[Identity]
E --> G[Data]
E --> H[Configuration]
E --> I[Applications]
Shared responsibility overview: 22-diagrams/shared-responsibility.mmd
- Architecture principles:
03-architecture-principles.md - Hybrid/Azure Local:
18-hybrid-azure-local.md - Threat model:
23-threat-model.md