All Microsoft Partners are Security Partners

As Microsoft Partners we try to focus on a specific Microsoft Solution Area when we first get started and pursue a Solution Partner designation in that solution area. As time progresses, we may choose to expand into other Microsoft solution areas. By expanding, we will reach more customers and offer more services to existing customers. However, it is also common to continue to focus on a single solution area.  

Currently Microsoft has the following solution areas: 

• Business Applications 

• Data and AI 

• Digital & App Innovation 

• Infrastructure 

• Modern Work  

• Security 

It's important to recognize that security should be considered in all solution areas, even if they are not explicitly related to security. Security is akin to the immune system of any cloud solution and should be embedded in the solutions we propose to our customers. Two key areas where security plays a critical role are the Partner's tenant and the customer's tenant. As a Microsoft Partner, it is your responsibility to ensure that your Partner Tenant is secure. To achieve this, familiarity with security is necessary. The CSP security best practices and Zero Trust principles can serve as a good starting point to improve security. 

Microsoft offers well-documented security best practices that can be implemented on the customer's tenant. Additionally, many Microsoft services and products have Security Baselines that can serve as guidelines for designing solutions in Azure or Office 365. By following these guidelines, we can ensure that security is prioritized in all areas of our solutions, leading to stronger and more secure cloud environments for our customers. 

It is crucial to recognize that preventing every single attack is not always possible. This fact should not be perceived as a binary outcome of winning or losing. The objective should not be solely focused on achieving a complete triumph, but rather on guaranteeing that proper protective measures are implemented to prevent attacks, minimize the damage when an attack is successful, and enable a quick recovery. Therefore, the ultimate goal is to create a resilient system that can withstand attacks and effectively respond to them. 

If we do not apply the recommended security best practices on our partner tenant, we put are partner tenant and inherently customer tenants at risk. This will not only have a monetary impact but also a reputational one with our customers. 

During my time working with Microsoft Partners as a Partner Technical Consultant. There were two common reasons for why security was normally not considered as part of the proposed solution: 

• Cost 

• Knowledge of security 

Cost of Security 

Depending on the customers scenario. Implementing services and enabling features that improve security typically increase costs. There are other features that could be enabled that don’t have a cost that can help with security such as Azure Active Directory Security Defaults, or Microsoft Defender for Clouds Recommendations just to name a few.  

We should not be focused on the immediate cost of implementing security. This is because not considering security in your solution can be considered technical debt. Technical debt is a metaphorical term used to describe the cost of short-term solutions that may lead to long-term problems. If security is not properly considered during the design and implementation of a solution, it can lead to security vulnerabilities that may be exploited by attackers, causing significant harm to the system and the organization. Over time, the cost of fixing security vulnerabilities can accumulate and become a burden, leading to higher costs and longer development cycles. Therefore, it's important to prioritize security from the beginning and avoid incurring technical debt related to security. 

Knowledge of Security 

From a partner perspective Microsoft offers great guidance on how you can implement security to improve the security of your own partner tenant. From a customer's perspective Microsoft also provides general guidance on how you can improve the security posture of the overall solution you propose.  

The following documentation is an excellent reference for Microsoft Partners;

Cloud Solution Provider security best practices - Partner Center | Microsoft Learn 

The following documentation complements the previous article with security best practices for customers: 

Customer security best practices - Partner Center | Microsoft Learn 

I encourage you to also review Zero Trust Principles: 

Zero Trust Model - Modern Security Architecture | Microsoft Security 

As a compliment to the Zero Trust Model white paper, I also encourage reviewing the Microsoft Cybersecurity Reference Architecture (MCRA): 

Microsoft Cybersecurity Reference Architectures - Security documentation | Microsoft Learn 

 Please note that this list is not exhaustive and there are many more ways to improve overall security posture in both your partner and customer tenants. If you need guidance on how to improve the security of your own partner tenant or to integrate security in an existing customer scenario, please do not hesitate to contact our team. We are always ready to discuss and review your scenario and provide tailored recommendations. 

In conclusion regardless of what solution area you specialize in. Security needs to always be part of your solution.

Stay tuned for future blogs on this topic where we will be expanding further on how you, as a Microsoft Partner, can improve the security in your own partner tenant and in your customer tenants.