π Enterprise Zero Trust Architecture β Microsoft Entra ID & Multi-Cloud IAM
Architect: Kehinde (Kenny) Samson Ogunlowo | Principal AI Infrastructure & Security Architect
Clearance: Active Secret Clearance | Citadel Cloud Management
Enterprise Zero Trust architecture implementation using Microsoft Entra ID, AWS IAM, and Google Cloud IAM β with real-world patterns from Cigna (85% reduction in unauthorized access), Lockheed Martin (FedRAMP High + CMMC L2), and Ceretax (federal-grade tax compliance). Implements NIST SP 800-207 Zero Trust Architecture across hybrid multi-cloud environments.
Zero Trust Principles Implemented
"Never trust, always verify" β across every user, device, workload, and network path
| Principle | Implementation |
|---|---|
| Verify explicitly | MFA, device compliance, risk-based Conditional Access |
| Use least privilege | JIT/JEA, PIM, attribute-based access control (ABAC) |
| Assume breach | Network segmentation, lateral movement prevention, full audit |
| Continuous validation | Real-time risk scoring, session re-evaluation, anomaly detection |
Architecture
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β IDENTITY PLANE β
β Microsoft Entra ID | AWS IAM Identity Center | Google Cloud IAMβ
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β Conditional Access | Permission Sets | IAM Conditions β
β PIM / JIT Access | SCPs / Permission Bdry | Org Policies β
β FIDO2 Passwordless | IAM Roles for SA | Workload Identityβ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β DEVICE PLANE β
β Intune MDM/MAM | CrowdStrike Falcon | Entra Joined Devices β
β Device compliance policies | TPM attestation | ZTNA β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β NETWORK PLANE β
β Azure Private Endpoints | AWS PrivateLink | GCP Private SC β
β VPC Service Controls | Network Policies | Istio mTLS β
β Azure Firewall Premium | AWS Network FW | Cloud Armor β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β APPLICATION & DATA PLANE β
β Azure AD App Proxy | IAP (GCP/Azure) | BeyondCorp Enterprise β
β FIPS 140-2 KMS | HSM-backed keys | Azure Confidential VM β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β VISIBILITY & ANALYTICS β
β Microsoft Sentinel | Chronicle SIEM | AWS Security Hub β
β Entra ID Protection | Defender XDR | Security Command Center β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Core Components
Microsoft Entra ID (Azure AD)
- Conditional Access Policies β Location, device compliance, risk-based MFA
- Privileged Identity Management (PIM) β JIT elevation with approval workflows
- Entra ID Protection β Risk-based sign-in and user risk policies
- External Identities (B2B/B2C) β Federated identity for partners and customers
- Workload Identity Federation β Keyless authentication for GitHub Actions, Kubernetes
- FIDO2 Passwordless β Hardware security key enforcement for privileged accounts
AWS IAM (GovCloud patterns)
- IAM Identity Center (SSO) β Centralized access to multi-account AWS org
- Permission Boundaries β Developer guardrails with delegated admin
- Service Control Policies β Preventive controls across AWS Organization
- IAM Roles Anywhere β Short-lived credentials for on-prem workloads
- AWS CloudTrail + Security Hub β Compliance audit trail and findings aggregation
Google Cloud IAM
- Workload Identity Federation β Federated identity for CI/CD (GitHub Actions, GitLab)
- Organization Policy Service β Hierarchical constraints across projects
- BeyondCorp Enterprise β Context-aware access for internal applications
- VPC Service Controls β Data exfiltration prevention perimeters
- Binary Authorization β Cryptographic supply chain security for containers
Compliance Coverage
| Standard | Controls Implemented |
|---|---|
| NIST SP 800-207 | Full ZTA implementation: identity, device, network, application pillars |
| CMMC Level 2 | Access control (AC), Audit & Accountability (AU), ID & Authentication (IA) |
| FedRAMP High | AC, AU, IA, SC, SI controls β implemented at Lockheed Martin |
| HIPAA Security Rule | PHI access controls, audit logging, transmission encryption (Cigna) |
| NIST 800-53 Rev5 | AC-2, AC-6, IA-2, IA-5, SC-7, SC-28, AU-2, AU-6 |
Repository Structure
entra-iam-zero-trust/
βββ terraform/
β βββ azure/
β β βββ conditional-access/ # Entra CA policies
β β βββ pim/ # PIM role assignments
β β βββ entra-id-protection/ # Risk policies
β β βββ private-endpoints/ # Network Zero Trust
β βββ aws/
β β βββ iam-identity-center/ # SSO configuration
β β βββ permission-boundaries/ # IAM guardrails
β β βββ scps/ # Org Service Control Policies
β β βββ privatelink/ # Network isolation
β βββ gcp/
β βββ workload-identity/ # WIF federation config
β βββ org-policies/ # Hierarchy controls
β βββ vpc-service-controls/ # Data perimeters
β βββ beyondcorp/ # Context-aware access
βββ policies/
β βββ conditional-access/ # CA policy JSON templates
β βββ scp-examples/ # AWS SCP examples
β βββ org-policy-constraints/ # GCP org constraints
βββ monitoring/
β βββ sentinel-analytics/ # Sentinel KQL queries
β βββ chronicle-rules/ # Chronicle YARA-L rules
β βββ security-hub-findings/ # AWS findings aggregation
βββ docs/
βββ architecture-diagrams/
βββ runbooks/ # Incident response procedures
βββ compliance-mappings/ # Control to framework mappings
Production Impact
- 85% reduction in unauthorized access incidents at Cigna via Zero Trust + BeyondCorp
- 10,000+ monthly malicious requests blocked via Cloud Armor + VPC Service Controls (Ceretax)
- FedRAMP High + CMMC L2 compliance achieved at Lockheed Martin for defense workloads
- Zero data exfiltration incidents after Zero Trust implementation at Ceretax
Author
Kehinde (Kenny) Ogunlowo β citadelcloudmanagement.com | kogunlowo@gmail.com | LinkedIn