Design a Zero Trust strategy and architecture (30–35%)

Build an overall security strategy and architecture

  • Identify the integration points in an architecture by using Microsoft Cybersecurity Reference Architecture (MCRA)
  • Translate business goals into security requirements
  • Translate security requirements into technical capabilities, including security services, security products, and security processes
  • Design security for a resiliency strategy
  • Integrate a hybrid or multi-tenant environment into a security strategy
  • Develop a technical governance strategy for security

Design a security operations strategy

Design an identity security strategy
Note: includes hybrid and multi-cloud

  • Design a strategy for access to cloud resources
  • Recommend an identity store (tenants, B2B, B2C, hybrid)
  • Recommend an authentication strategy
  • Recommend an authorization strategy
  • Design a strategy for conditional access
  • Design a strategy for role assignment and delegation
  • Design security strategy for privileged role access to infrastructure including identity-based firewall rules, Azure PIM
  • Design security strategy for privileged activities including PAM, entitlement management, cloud tenant administration

Evaluate Governance Risk Compliance (GRC) technical strategies and security operations strategies (20–25%)

Design a regulatory compliance strategy

  • Interpret compliance requirements and translate into specific technical capabilities (new or existing)
  • Evaluate infrastructure compliance by using Microsoft Defender for Cloud
  • Interpret compliance scores and recommend actions to resolve issues or improve security

Design implementation of Azure Policy

  • Design for data residency requirements
  • Translate privacy requirements into requirements for security solutions

Evaluate security posture and recommend technical strategies to manage risk

  • Evaluate security posture by using benchmarks (including Azure security benchmarks, ISO 2701, etc.)
  • Evaluate security posture by using Microsoft Defender for Cloud
  • Evaluate security posture by using Secure Scores
  • Evaluate security posture of cloud workloads
  • Design security for an Azure Landing Zone
  • Interpret technical threat intelligence and recommend risk mitigations
  • Recommend security capabilities or controls to mitigate identified risks

Design security for infrastructure (20–25%)

Design a strategy for securing server and client endpoints
NOTE: includes hybrid and multi-cloud

  • Specify security baselines for server and client endpoints
  • Specify security requirements for servers, including multiple platforms and operating systems
  • Specify security requirements for mobile devices and clients, including endpoint protection, hardening, and configuration
  • Specify requirements to secure Active Directory Domain Services
  • Design a strategy to manage secrets, keys, and certificates
  • Design a strategy for secure remote access

Design a strategy for securing SaaS, PaaS, and IaaS services

  • Specify security baselines for SaaS, PaaS, and IaaS services
  • Specify security requirements for IoT workloads
  • Specify security requirements for data workloads, including SQL, Azure SQL Database, Azure Synapse, and Azure Cosmos DB
  • Specify security requirements for web workloads, including Azure App Service
  • Specify security requirements for storage workloads, including Azure Storage
  • Specify security requirements for containers
  • Specify security requirements for container orchestration

Design a strategy for data and applications (20–25%)

Specify security requirements for applications

  • Specify priorities for mitigating threats to applications
  • Specify a security standard for onboarding a new application
  • Specify a security strategy for applications and APIs

Design a strategy for securing data

  • Specify priorities for mitigating threats to data
  • Design a strategy to identify and protect sensitive data
  • Specify an encryption standard for data at rest and in motion

DELETE everything after this line

  • Design a strategy to identify and protect sensitive data
  • Specify an encryption standard for data at rest and in motion