-
Notifications
You must be signed in to change notification settings - Fork 0
Architecture and Reference
Coding-Autopilot-System CI edited this page May 27, 2026
·
1 revision
- Policy-as-code: all security controls expressed as versioned, testable code
- Shift-left: security integrated into CI/CD pipelines via DevSecOps gates
- Zero-trust posture: least-privilege identity, network segmentation, continuous validation
- Hybrid-first: Azure Arc extends policy and monitoring to on-premises and multi-cloud
- Observable by default: centralized logging via Microsoft Sentinel
The Cloud Security Service covers:
- Azure subscriptions via Azure Policy and Defender for Cloud
- Hybrid/on-prem via Azure Arc (servers, Kubernetes, Azure Local)
- Identity via Entra ID with PIM for privileged access
- Network via hub-and-spoke with NSG/firewall policy-as-code
- Logging via Log Analytics workspaces and Microsoft Sentinel
Security gates integrated at four pipeline stages:
- Pre-commit: secret scanning, IaC linting (tflint, bicep-linter)
- CI: SAST, dependency scanning, policy compliance checks
- CD: Defender for Cloud deployment assessment, policy dry-run
- Post-deployment: drift detection, compliance re-scan, alert baseline
Controls are implemented as Azure Policy definitions (JSON/Bicep), Defender for Cloud security policies, Sentinel analytics rules (KQL), and IaC modules with security defaults.
- Azure Arc-enabled servers: apply Azure Policy, Defender for Servers, patch management
- Azure Local (on-prem HCI): landing zone patterns, Arc integration, local Sentinel forwarding
- Arc-enabled Kubernetes: policy via Azure Policy for Kubernetes, Defender for Containers