CAPABILITY
Enterprise Foundations
Enterprise Foundations: overview, scope, and links to services.
Control who can access what, from where, and under what conditions.
- Centralized identity provider with SSO
- Strong authentication (MFA by default)
- Role-based access, least privilege
- Automated onboarding/offboarding
- Privileged access tightly controlled and audited
Identity
Define how systems communicate and where boundaries exist.
- Standardized network architecture (hub-and-spoke)
- Segmented environments and tenants
- Controlled ingress and egress
- Private connectivity to on-prem and partners
- Centralized DNS and traffic inspection
Network
Establish the default protection baseline across all resources.
- Encryption at rest and in transit by default
- Vulnerability scanning and patch management
- Security monitoring and incident response
- Compliance automation (STIG, CIS benchmarks)
- DDoS protection and threat intelligence
Security
Enforce policies, track costs, and maintain compliance automatically.
- Policy as code (preventive guardrails)
- Automated compliance reporting
- Cost allocation and budgets
- Resource tagging standards
- Audit trails and change tracking
Governance
Ensure everything is repeatable, auditable, and scalable.
- Infrastructure defined as code
- Automated account and environment provisioning
- CI/CD pipelines with policy checks
- Self-service templates for teams
- Drift detection and remediation
Automation
Define how the platform is run and sustained.
- Central logging and monitoring
- Incident response and runbooks
- Backup, recovery, and resilience standards
- Cost visibility and accountability
- Clear ownership and operating model
Operations