This work package provides organisations with expert guidance to design and implement a Zero Trust Architecture (ZTA) aligned with the SANS Cloud Security 549 Cloud Security Architecture & Operations methodology. It integrates Zero Trust principles — identity‑centric access, continuous verification, least privilege, micro‑segmentation, and adaptive policy enforcement — into cloud‑native architectures across Azure, AWS, GCP, and hybrid environments.
The service ensures Zero Trust is embedded into cloud architecture, security controls, operational processes, and continuous monitoring, following SANS 549’s emphasis on threat‑driven design, secure cloud patterns, and operational maturity.
Assess cloud environments against SANS 549 cloud security architecture principles and Zero Trust models.
Design a cloud‑native Zero Trust Reference Architecture aligned to SANS 549.
Strengthen identity, network, workload, data, and operational security across cloud platforms.
Improve detection, response, and automation capabilities using cloud‑native tools.
Establish governance, operating models, and continuous assurance processes.
A SANS 549‑aligned Zero Trust maturity assessment.
A cloud‑native Zero Trust Reference Architecture blueprint.
Hardened identity, network, data, and workload controls.
Updated governance, policies, and operational processes.
A multi‑phase Zero Trust transformation roadmap.
Assessment aligned to:
SANS Cloud Security 549
NIST SP 800‑207
CISA Zero Trust Maturity Model
CIS Controls
Cloud provider security benchmarks (Azure, AWS, GCP)
Assessment across Zero Trust pillars:
Identity (IAM, IdP, workload identities)
Devices (endpoint posture, EDR/XDR)
Networks (micro‑segmentation, ZTNA, cloud networking)
Applications & Workloads (containers, serverless, APIs)
Data (classification, encryption, DLP)
Visibility & Analytics (SIEM, CSPM, XDR)
Automation & Orchestration (IaC, SOAR, policy‑as‑code)
Activities include:
Review of cloud architecture, controls, and governance.
Mapping current capabilities to SANS 549 cloud security patterns.
Gap analysis and prioritised recommendations.
Cloud IAM governance (Azure AD/Entra, AWS IAM, GCP IAM).
MFA, passwordless, conditional access.
Privileged access management (PAM/PIM).
Workload identity governance (managed identities, service accounts).
Cloud micro‑segmentation (NSGs, SGs, firewall policies).
Zero Trust network access (ZTNA).
Private networking (Private Link, VPC endpoints).
Cloud firewalling and WAF patterns.
Container and Kubernetes Zero Trust patterns.
Serverless security (Lambda, Functions, Cloud Run).
API security and gateway integration.
Secure DevOps and CI/CD pipeline controls.
Data classification and sensitivity‑based access.
Encryption, tokenisation, key management (KMS, Key Vault, Cloud KMS).
Data loss prevention (DLP) and insider risk controls.
Data access governance and monitoring.
Secure landing zones aligned to SANS 549 patterns.
CSPM, CIEM, CWPP integration.
Hardening of compute, storage, and database services.
Multi‑cloud and hybrid Zero Trust patterns.
SIEM/SOAR integration (Sentinel, Splunk, Chronicle, QRadar).
XDR and cloud‑native threat detection.
Behavioural analytics and anomaly detection.
Automated remediation and policy enforcement.
Zero Trust governance framework aligned to SANS 549.
Updated cloud security policies and standards.
Architecture principles and decision‑making workflows.
Zero Trust risk register and control mapping.
Operating model for continuous verification and assurance.
Prioritised capability roadmap (12–36 months).
Work package catalogue aligned to cloud maturity.
Dependency mapping across identity, network, data, and cloud.
Costing, resourcing, and risk analysis.
IAM hardening across Azure/AWS/GCP.
Cloud network segmentation and ZTNA deployment.
CSPM, CIEM, CWPP configuration.
SIEM/SOAR/XDR integration.
DevSecOps and CI/CD security integration.
Cloud‑native DLP and data governance deployment.
SANS 549 Zero Trust Maturity Assessment Report
Zero Trust Reference Architecture Blueprint (SANS‑aligned)
Identity & Access Modernisation Pack
Cloud Network Micro‑Segmentation Design
Data Protection & Governance Framework
Monitoring, Detection & Automation Design Pack
Governance & Operating Model Framework
Executive Summary & Board‑Level Presentation
Cloud Zero Trust Landing Zone
Secure DevOps / DevSecOps Integration Guide
Continuous Zero Trust Monitoring Service
Zero Trust Incident Response Playbooks
Multi‑Cloud Zero Trust Architecture
Initiation & Discovery (1–2 weeks)
SANS 549 Zero Trust Maturity Assessment (2–4 weeks)
Architecture & Policy Design (4–8 weeks)
Identity, Network & Data Hardening (variable)
Monitoring & Automation Integration (2–4 weeks)
Governance & Capability Uplift (ongoing)
Optional: Continuous Zero Trust Assurance (subscription)
Lead Cloud Security Architect (SANS 549 Practitioner)
Zero Trust Architect
Identity & Access Specialist
Cloud Network Engineer
DevSecOps & Workload Security Specialist
Governance & Compliance Analyst
Project Manager
Fixed‑price for assessment, architecture, and governance phases.
Time & materials for engineering, integration, and hardening.
Subscription/retainer for continuous Zero Trust monitoring and assurance.
Access to cloud platforms (Azure/AWS/GCP) and identity systems.
Engagement with cloud, security, and DevOps teams.
Availability of existing architecture diagrams and policies.
Client commitment to governance and operational adoption.
Cloud misconfigurations → mitigated through CSPM and IaC.
Identity sprawl → mitigated through IAM governance and PIM.
Operational resistance → mitigated through training and clear operating models.
Tool sprawl → mitigated through consolidation and cloud‑native controls.