In this guide, we will discuss “Hybrid Cloud Infrastructure and Application Security Best Practices”. I’m currently studying to become a Cybersecurity Architect, and I wanted to share my learning journey with the community. I will be exploring security posture in cloud and hybrid environments, focusing on both infrastructure and application security. Please, see Install and access all Editions of Microsoft SQL Server 2025, and how to download and install the Windows ADK Patches.
My goal is to break down complex concepts and make them accessible to anyone interested in cybersecurity.
Classifying Applications
Organizations must classify applications by priority because resources (time, funds, personnel) to implement security controls are limited.
Critical/high-priority applications are those that, if compromised, would cause significant impacts. The main criteria are:
- Impact on business mission: Compromise blocks operations, revenue, or damages reputation
- Handling sensitive/regulated data: HR systems, confidential information, personal data
- Broad access to IT environment: Systems like identity stores that, if breached, expose large portions of the infrastructure
- High attack exposure: Typically Internet-facing applications
Context is crucial: a critical application for one organization may be low priority for another. The example provided compares an e-commerce website (sole revenue source = critical) with a dog trainer’s website (useful but not essential for operations = not critical).
Classification determines which applications require priority in threat modeling and security control implementation.
Also, see Upgrade Veeam Backup and Replication v12.3 to v13 on Windows, how to Integrate Active Directory with IPMI for Out-of-Band Management, and Migrate Microsoft Enterprise Root Certification Authority and Forest Domain to Azure.
Setting Priorities for Application Threat Mitigation
Classifying Applications by Priority: Most organizations manage numerous applications with varying levels of importance. Since no organization has unlimited resources, it’s crucial to identify which applications are critical and should be prioritized for threat modeling and security controls.
Understanding Business Impact: Context is everything when classifying applications. An e-commerce website generating all company revenue is business-critical, any breach or downtime directly stops operations. In contrast, a local service provider’s website, while valuable, isn’t essential to daily operations.
Criteria for Critical/High-Priority Applications
Applications should be prioritized when they have:
- Significant mission impact: Compromise would severely affect operations, revenue, or reputation
- Sensitive or regulated data: Systems handling personal information, financial data, or classified content
- Broad IT access: Applications like identity stores that, if compromised, could damage the entire infrastructure
- High attack exposure: Internet-facing applications with increased vulnerability to threats
The classification must reflect your organization’s specific context—what’s critical for one business may be low priority for another.
Please, see “Editions of MSSQL Server: What are the differences between various Editions of Microsoft SQL Server, and Install MSSQL 2019 Developer Edition and SSMS on Windows.
Microsoft Security Development Lifecycle (SDL)
SDL’s five major threat-modeling steps
Microsoft has refined the SDL over 20+ years. While threats evolve, the core methodology remains effective. Here are the five essential steps:
1. Define Security Requirements: Establish security standards the application must meet, whether organization-wide policies or app-specific requirements.
2. Create Application Diagrams: Map all components, connections, and relationships within your IT environment. Accuracy here is critical for effective threat modeling.
3. Identify Threats: List potential threats, external, internal, app-specific, or organizational. Use threat intelligence and categorize by severity (critical, high, medium, low).
4. Mitigate Threats: Implement countermeasures for identified threats. If risks are accepted instead of mitigated, document this with appropriate management approval.
5. Validate Mitigations: Test all implemented security controls to ensure they work as intended.
Like every component of IT infrastructure, applications are exposed to threats that require a comprehensive security strategy. However, it’s not always possible to mitigate all risks.
Why Not All Threats Are Mitigated
There are several reasons:
- Limited budget
- Lack of specific expertise
- Unfavorable cost-benefit assessment
- Operational impact too high relative to the risk
Please see Leverage Azure Blob Storage as an Object Storage Repo in Veeam, PXE Boot Failure: “Access Denied or Aborted” with Secure Boot on [Part 4], and Advanced Tape Troubleshooting: Diagnosing Veeam LTO Drive Issues with ITDT.
The Recommended Approach
To understand application threats in a business context, it’s essential to conduct an analysis that identifies:
- Threats potential to the application
- Attacks that are possible
- Vulnerabilities present in the system
- Mitigations and countermeasures necessary to protect the application
This assessment enables informed priority-setting and resource allocation where truly needed, balancing security with operational requirements.Microsoft Threat Modeling Tool (and download it) at the following link.
STRIDE and Threat Mitigation Summary
STRIDE Methodology (used in Microsoft SDL):
- Spoofing: Impersonation through compromised credentials
- Tampering: Unauthorized modification of system data
- Repudiation: Inability to track user actions
- Information disclosure: Exposure of confidential information to unauthorized users
- Denial of Service: (not mentioned in the excerpt but part of STRIDE)
- Elevation of privilege: (not mentioned in the excerpt but part of STRIDE)
Threat Mitigation
Once threats are identified, security controls are implemented following the defense-in-depth principle: if one control fails, others can still protect the system. The number of controls to implement depends on:
- Organization’s security posture
- Risk tolerance
- Assessment of the likelihood of each control failing
Please see How to upgrade Veeam One from v12 to v13, and how to Integrate Trellix ePolicy Orchestrator with a Syslog Server.
Mitigation categories in the Microsoft Threat Modeling Tool:
- Auditing and Logging
- Authentication
- Authorization
- Communication Security
- Configuration Management
- Cryptography
- Exception Management
- Input Validation
- Sensitive Data
- Session Management
Microsoft Cybersecurity Reference Architectures (MCRA): Your Security Blueprint
The Microsoft Cybersecurity Reference Architectures (MCRA) is a comprehensive resource providing security best practices through detailed technical diagrams and guidance.
What’s Inside: MCRA covers essential cybersecurity domains including:
- Zero Trust architecture and implementation guidance
- Security operations workflows and processes
- Multi-cloud and cross-platform security capabilities (Azure, AWS, GCP)
- Operational Technology (OT) security
- Attack chain analysis and defense coverage
- Azure native security controls
- Security roles and responsibilities framework
The resource also features Microsoft and The Open Group’s Zero Trust overview, plus the Zero-Trust Rapid Modernization Plan (RaMP) for practical implementation.
Built for Hybrid Environments
MCRA is specifically designed for today’s “hybrid of everything” reality, addressing security across:
- On-premises datacenters
- Microsoft 365 and Azure
- Third-party platforms (ServiceNow, Salesforce, Box, Dropbox)
- Multi-cloud environments (AWS, GCP)
This makes MCRA an essential reference for organizations navigating complex, distributed IT estates while maintaining robust security posture. You can learn more here.
The Microsoft Cloud Security Benchmark (MCSB) is a security framework that provides best practices for securing infrastructure and development platforms across hybrid environments, including Azure, on-premises datacenters, and other cloud providers like AWS and GCP.
Key Components: MCSB consists of two types of guidance:
- Security controls: High-impact security recommendations generally applicable across any environment
- Service baselines: Specific interpretations of security controls for individual Azure services, providing prescriptive recommendations for service security configuration
Integration with Microsoft Defender for Cloud
Microsoft Defender for Cloud (MDC) uses MCSB as its default security compliance initiative, implementing over 200 Azure Policy checks to automatically measure security posture.
MCSB security controls are mapped to other recognized security standards, including CIS Controls, NIST SP 800-53, and PCI-DSS, with additional mappings available in the MDC regulatory compliance dashboard. Full documentation is available here.
Cybersecurity Best Practices: Core Principles:
1: Technology is essential to automate security processes but doesn’t replace security experts
2: Best practices are found throughout MCRA and MCSB frameworks
Key Recommendations: Technology and Tools:
- Learn and utilize all available security capabilities
- Use multi-technology approaches (not just firewalls/SIEM)
- Apply both data plane and management plane security controls
- Protect platform/infrastructure AND specific workloads
- Use native cloud controls with consistent tooling across providers
Holistic Security
Secure the full lifecycle: people, accounts, devices, interfaces, resources, and underlying services. Balance security with productivity (“healthy friction”), and avoid blocking productivity without meaningful risk reduction.
Privileged Access Protection (Critical):
- Implement elevated protections for privileged accounts/systems
- Use strong MFA, threat detection, and rapid response
- Secure workstations with PAWs
- Protect intermediaries (VPNs, PIM/PAM, domain controllers)
Ransomware Preparedness:
- Validate BC/DR processes include all critical systems
- Test ransomware scenarios regularly
- Protect backups against attacker sabotage/encryption
- Ensure privileged access protection
Bottom Line: Comprehensive security requires technical controls, proper tools, privileged access protection, and ransomware readiness across the entire asset lifecycle. See the following diagram for the recommend best practices for protecting from insider and external attacks
Top diagram: Shows common external attack steps and corresponding Microsoft security capabilities.
Bottom diagram: Shows insider risk indicators and how Microsoft Purview Insider Risk Management detects, triages, and responds to risky user behavior.
External attacks follow common patterns with varying entry points:
- Compromised credentials (password spray/social engineering)
- Phishing emails
- IoT device compromise
- Watering hole attacks
- Cloud application malware
Attack objectives vary: data theft, encryption, ransomware, business disruption, or monetization.
Key insight: Major incidents typically involve privilege escalation via credential theft, mitigated by securing privileged access.
Evolution
Lockheed Martin adapted military “kill chain” concepts to cybersecurity, introducing the “attack chain” concept. Viewing attacks as sequential events. Today, organizations use the MITRE ATT&CK framework for detailed security control planning and threat detection coverage.
Attack chain mapping
Security Best Practices
Attack Techniques Overview: Attackers employ various techniques (phishing, credential theft, software vulnerability exploitation) repeatedly or in combination to achieve their objectives across the attack chain phases: preparation, entry, traversal, and execution. Below are some key best practices:
- Continuous Improvement: Systematically enhance coverage across the entire attack chain to eliminate blind spots and strengthen vulnerable areas lacking preventive controls.
- Balanced Investment: Distribute security resources evenly across all lifecycle phases: identify, protect, detect, respond, and recover.
- XDR + SIEM Integration: The security operations landscape has evolved from relying solely on Security Information and Event Management (SIEM) to combining it with Extended Detection and Response (XDR) tools. XDR (including Endpoint Detection and Response/EDR) excels at reducing false positives and improving detection effectiveness for specific platforms, while SIEM provides broad visibility and cross-tool correlation. Both are essential for comprehensive security operations.
- Advanced Automation and Analytics: Minimize manual workload by implementing Security Orchestration, Automation, and Response (SOAR), Machine Learning (ML), and User Entity Behavioral Analytics (UEBA). SOAR technology specifically automates repetitive tasks in detection, investigation, and response, reducing analyst fatigue and distraction.
Recommend Microsoft ransomware best practices
Attack Surface Reduction (ASR) Rules per Ransomware Stage
| Ransomware Stage | ASR Rule |
| Enter Environment | • Block all Office applications from creating child processes • Block Office communication applications from creating child processes • Block Office applications from creating executable content • Block Office applications from injecting code into other processes • Block execution of potentially obfuscated scripts • Block JavaScript or VBScript from launching downloaded executable content |
| Traverse and Spread | • Block executable files from running unless they meet prevalence, age, or trusted list criteria • Block credential stealing from Windows Local Security Authority Subsystem (lsass.exe) • Block process creations originating from PsExec and WMI commands • Use advanced protection against ransomware |
Security Best Practices for Ransomware
| Work Item | Best Practice |
| Email/Collaboration | • Implement advanced email security capabilities • Enable Attack Surface Reduction (ASR)< • Audit and monitor email |
| Endpoint | • Use ASR and tamper protection to block known threats • Apply Microsoft security baselines to harden workloads • Keep software updated • Block unexpected traffic using host-based firewall or network protection • Audit and monitor endpoints |
| Detection and Response | • Prioritize common endpoints and use integrated XDR tools (e.g., Microsoft 365 Defender) for high-quality alerts and minimal response friction • Monitor brute-force attacks (password spray) • Detect attempts to disable security controls or logging (event log clearing, PowerShell operational logs) • Ensure endpoint protection can rapidly isolate compromised computers |
| Backup and Recovery | • Create automatic regular backup schedules for critical data • Validate backups • Regularly validate Business Continuity/Disaster Recovery (BC/DR) plan • Secure backup access with strong authentication and MFA • Require PIN for critical operations • Protect recovery documentation • Store backups offline or off-site • Use Azure Recovery Services vault for data storage (supports IaaS VMs, Azure SQL databases, on-premises assets) |
Secure Backups: The First Line of Defense Against Ransomware
A comprehensive backup strategy is essential for protecting critical business data.
The Problem
After a ransomware attack that encrypted sensitive data, the company discovered that traditional backups weren’t sufficient. A more robust approach was needed.
The Solution: Security Pillars
1. Multi-Tiered Backups Implement frequent backups covering both on-premises and cloud systems, capturing critical data regularly.
2. Geographic Redundancy Maintain multiple copies in diverse locations to eliminate single points of failure and ensure rapid recovery.
3. End-to-End Encryption Protect data both in transit and at rest, with strict access controls and multi-factor authentication.
4. Continuous Testing Regularly simulate attack scenarios, including ransomware, to validate the effectiveness of recovery systems.
5. Incident Response Integration Define clear roles for IT and security teams in the incident response plan.
6. Personnel Training Educate employees on best practices and risks like phishing that could compromise backups.
The Results
Implementation led to resilient data recovery, reduced downtime, preserved financial data integrity, and a strengthened security posture. Most importantly, it restored trust with customers and regulators.
Special Considerations
OT Environments: In operational technology environments, prioritize safety and availability over updates, using passive detection for legacy systems.
Insider Risk: Manage internal threats (data leaks, confidentiality breaches, IP theft, fraud) separately from external ones.
Key Takeaway: A backup isn’t just a data copy. It’s a strategic business continuity component requiring continuous planning, testing, and updates.
I hope you found this guide very useful on “Hybrid Cloud Infrastructure and Application Security Best Practices”. Please, feel free to leave a comment below.
