Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Adopting Zero Trust security across your organization is a complex, multi-year effort spanning business strategy and planning, technical design and architecture, deployment, and operations.
Without a structured approach to adoption, security modernization programs can become fragmented, reactive, and difficult to sustain.
Our *structured security adoption model provides standardized, repeatable, role-aware processes that help you to you plan, prioritize, and implement end-to-end security modernization across hybrid, multicloud, and multi-platform environments.
The adoption model aligns critical business outcomes, security disciplines, and solution implementations so that business leaders, security managers, architects, and practitioners can move forward together at a controlled and sustainable pace across the organization.
Tip
Microsoft offers a rich set of security adoption workshops - the Security Adoption Framework (SAF) workshops. Our structured adoption model guidance aligns with the expert-led guidance from Microsoft Unified delivered in those workshops. Learn more about SAF workshops.
Why use an adoption model?
A structured adoption model helps you to:
- Align with security best practices - Align with Zero Trust principles, Microsoft Secure Future Initiative (SFI) patterns, open standards and guidance, and other security best practices.
- Maximize existing investments - Get value from your existing tools, before introducing new capabilities.
- Deliver an end-to-end security strategy - Connect business priorities to security architecture, controls, processes, and operations.
- Adapt continuously - Evolve security posture and strategy as threats, business needs, and technologies change.
- Prioritize action - Provide practical role-specific guidance for teams and stakeholders, grounded in best practices, lessons learned, and real-world examples.
This diagram illustrates how these elements come together in an adoption model.
How the adoption model integrates existing guidance
This adoption model brings together Microsoft security guidance that historically published across multiple frameworks and resources, aligning it into a single, actionable structure.
It integrates and builds on established guidance, and including these content sources:
- Microsoft Cybersecurity Reference Architecture (MCRA)
- Security Development Lifecycle (SDL).
- Zero Trust and CISO workshops
- The Immutable Laws of Security
- Privileged access/workstation guidance.
- Incident response playbooks
By organizing this guidance around common business scenarios, disciplines, and implementation steps, the model helps you move from isolated recommendations to a cohesive approach for planning, implementing, and measuring security improvements. We'll further enrich our adoption model content over time.
Adoption model structure
The adoption model is built on three core components that help organizations move from business intent to detailed implementation:
- Business scenarios define typical business outcomes and how security must be adapted to achieve them.
- Security disciplines define how teams organize, plan, and operate to modernize security and achieve business outcomes.
- Technology pillars describe organizational assets and resources that we want to secure. For example identity, devices, and data.
Each component of the adoption model targets a specific audience and role.
| Section | Primary audience | Aim |
|---|---|---|
| Business scenarios | Business leaders | Identify, define, and communicate critical business outcomes that security must support. Translate business priorities into actionable security goals that guide planning and decision-making. Provide practical, repeatable guidance for business outcomes, with clear paths to the roles and disciplines involved in delivering the outcome. |
| Security disciplines | Security leaders and teams, IT leaders, designers, architects. | Bridge business scenarios and security deployment/implementation. Ensure that security investments and priorities translate into measurable outcomes through clear planning, architecture, and operational practices. Business scenarios usually map to multiple security disciplines. |
| Technology pillars | Technical and security implementers and partners. | Define what types of assets must be secured, and where Zero Trust principles and security controls must be applied. Connect security strategy to implementation by grouping related technologies, controls, and capabilities. Business scenarios are likely to cross multiple technology pillars. For example, if our business outcome is to improve security posture across the enterprise, then we must improve posture across devices, data, infrastructure, networks, and more. |
Adoption guidance
Structured adoption guidance focuses on:
- End-to-end guidance for common business-critical scenarios.
- Product-agnostic recommendations based on Zero Trust principles, Microsoft best practices, and external frameworks.
- Detailed implementation guidance using Microsoft security products and services.
Next steps
Review options for beginning your security adoption journey.