Customer narrative

Completed

In earlier Learn modules for the Microsoft Cloud Adoption Framework for Azure, we shared the narrative of Tailwind Traders. This module is the next step toward Tailwind's cloud-adoption journey. The Tailwind team is evaluating its security posture.

The Tailwind Traders innovation team is rapidly deploying new products and services and migrating out of their data centers. The company's chief information security officer (CISO) is concerned that the company's risk profile is growing quickly and has become larger than originally anticipated. The company hasn't encountered a breach, but now that adoption is ramping up quickly, it's a possibility.

Tailwind Traders previously completed the Ready methodology of the Microsoft Cloud Adoption Framework for Azure module, but the company wants to be proactive to prevent future security issues. It also wants to operationalize security practices across its portfolio to improve its overall security posture. As pointed out in previous Tailwind Traders narratives, the company chose a "start small" implementation of Azure landing zones. As a result, it doesn't have all the rich security tools that come with the Azure landing zone accelerator.

Note

If Tailwind Traders had deployed Azure landing zones at an enterprise scale from the beginning, it would already have many of these tools in place. Having the tools would accelerate the company's security journey.

The CISO wants to add proper layers of protection to reduce risk and prepare for inevitable breach situations. For example, the CISO wants to:

  • Reduce risk from major incidents: The CISO wants to prevent as many incidents as possible, limit the damage from successful attacks, and rapidly detect, respond to, and recover from incidents. She also wants to be able to restore business processes without paying a ransom.
  • Identify and protect sensitive business data: The CISO wants to clearly identify what business assets are important to the organization and map those assets into technical assets. She also wants to protect those assets appropriately whether they're structured data, unstructured data, or any types of applications or systems that enable business-critical processes.
  • Rapidly modernize the existing security program: The CISO wants to modernize the security program with well-planned initiatives that prioritize quick wins and incremental progress across all security disciplines.
  • Show the company has a strong security posture to build confidence with employees, partners, customers, and stakeholders: The CISO wants to provide the right level of details on Tailwind Traders' security posture to organization leadership, oversight, and business partners. She wants to carefully balance the ability to provide enough information to build trust while limiting risk from disclosing too much data.
  • Proactively meet regulatory and compliance requirements: The CISO wants to rapidly discover, understand, meet, and report compliance with external requirements.
  • Reduce the cost and complexity of doing business: The CISO wants to simplify security processes and reduce friction in business processes from security. Modernizing workloads and applying modern security intelligence, automation, monitoring, and defense approaches is key to this effort.

Finally, the CISO also wants to:

  • Gain insights into the company's security posture that will help build confidence and help the company prioritize what work needs to be done next.
  • Empower employees, contractors, and business partners to do their jobs securely from anywhere.
  • Ensure monitoring and policy enforcement for all access to the organization's resources with a full end-to-end lifecycle approach.

The CISO has decided to improve the security posture of Tailwind Traders' cloud implementations by adding:

  • Tools
  • Controls
  • Architectures
  • Security operations
  • Administration practices