WGU D485 DGN1 Task 1 Cloud Security |Latest
Update with Complete Solution
Jordan McCready
Student ID#: 010287766
D485 Cloud Security
DGN1 Task 1
Cloud..Security..Implementation..Plan
A. Executive..Summary
SWBTL..LLC’s..Microsoft..Azure..cloud..environment..displays..many..security..concerns..and..does
..not..align..with..the..company’s..business..requirements...The..following..outlines..the..gaps..betwe
en..what..is..evident..in..the..company’s..security..environment..and..the..company’s..business..requi
rements:
1. Compliance..with..applicable..regulations..and..standards:..SWBTL..LLC..currently..has..cont
racts..with..the..U.S...government..in..addition..to..processing..card..transactions..on..a..daily..
basis...Therefore,..the..company..must..comply..with..the..Federal..Information..Security..Mo
dernization..Act..(FISMA)..and..the..Payment..Card..Industry..Data..Security..Standard..(PCI..
DSS)...Currently,..SWBTL..LLC..does..not..comply..with..these..regulations..in..their..existing..
cloud..environment.
2. Azure..Resource..Groups..and..Azure..Role-
Based..Access..Control..(RBAC):..SWBTL..LLC..has..a..business..requirement..that..departm
ental..resources..should..only..be..accessed..by..the..respective..department’s..users...This..r
equirement..aligns..with..the..principle..of..least..privilege...However,..the..cloud..environment.
.does..not..adhere..to..this..concept..in..its..current..state.
3. Azure..Key..Vaults..and..Encryption..of..data-at-rest..and..data-in-
transit:..There..are..no..services..spun..up..to..encrypt..data..at..rest..or..data..in..transit...Azure
, ..Key..Vaults..can..be..used
to..secure..encryption..keys..when..implementing..the..Azure..Disk..Encryption..and..Azure..S
QL..Database..TDE..services..for..data..at..rest...Data..in..transit:..Azure..Key..Vaults..enforces
..transport-level..encryption..to..protect..data..between..Azure..Key..Vault..and..clients.
4. Backups:..SWBTL..LLC..has..business..requirements..pertaining..to..backups...These..requi
rements..include..the..frequency..and..retention..of..those..backups..as..well..as..the..recover
y..objectives..of..those..backups...There..is..no..policy..or..other..configurations..in..place..that
..adhere..to..these..business..requirements.
5. Vulnerability..Scanning:..The..scope..of..vulnerability..scans..are..outdated..and..it’s..unknow
n..if..the..scans..include..the..cloud..environment.
Overall,..SWBTL..LLC’s..cloud..environment..is..lacking..the..necessary..security..controls..to..fulfill..it
s..business..requirements..and..comply..with..regulations..and..standards...The..company..needs..to..
take..the..appropriate..corrective..actions..in..securing..the..cloud..environment.
B. Proposed..Course..of..Action
The..proposed..course..of..action..for..SWBTL..LLC..consists..of..implementing..Microsoft’s..Azure..G
overnment..Infrastructure..as..a..Service..(IaaS)..solution...This..solution..provides..the..company..wit
h..a..FedRAMP/FedRAMP+..authorized..product..that..is..also..DoD..Impact..Level..(IL)..5..authorized
...In..addition,..this..service..model..meets..the..company’s..requirements..of..allowing..deployment..a
nd..control..of..multiple..operating..systems,..virtual..machines,..and..custom..applications..that..can..
be..supported..by..compute,..storage,..and..network..resources..on..demand.
Applicable..regulatory..compliance..directives..include..the..following:
- Federal..Information..Security..Modernization..Act..(FISMA):..As..a..U.S...governmen
t..contractor,..SWBTL..LLC..needs..to..comply..with..information..security..standards..
and
, guidelines..required..by..FISMA,..including..those..standards..developed..by..the..National..I
nstitute..of..Standards..and..Technology..(NIST)..(NIST,..2016)...The..Federal..Risk..and..Aut
horization..Management..Program..(FedRAMP)..leverages..NIST..standards..to..provide..st
andardized..security..requirements..for..cloud..services..(FedRAMP,..n.d.)...The..Microsoft..
Azure..Government..cloud..solution..maps..their..controls..to..NIST..SP..800-
53..Rev...5..controls..to..maintain..compliance..and..authorization..by..FedRAMP..(Microsoft,.
.2024)...In..addition..to..the..FedRAMP..security..controls,..the..Department..of..Defense’s..(D
oD)..Defense. . Information..Systems..Agency..(DISA)..develops..and..maintains..the..DoD..
Cloud..Computing..Security..Requirements..Guide..(SRG)...Compliance..with..these..SRG..
and..DoD..FedRAMP+..controls..award..cloud..solutions..a..DoD..provisional..authorization..
status...In..the..case..of..the..Microsoft..Azure..Government..solution,..it..is..designated..as..D
oD..IL..5..(Microsoft,..2023).
- Payment..Card..Industry..and..Data..Security..Standard..(PCI..DSS):..PCI..DSS..is..applicable
..to..any..entity..that..stores,..processes,..and/or..transmits..cardholder..data...As..noted..in..the
..Company..Overview..and..Requirements..document,..SWBTL..LLC..processes..card..trans
actions..on..a..daily..basis...With..that..said,..PCI..DSS..applies..to..SWBTL..LLC...The..compa
ny..must..implement..security..best..practices..that..cover..technical..and..operational..system
..components..pertaining..to..the..processed..transactions..(PCI..Security..Standards..Counci
l,..2018).
Security..Benefits..of..Microsoft..Azure..Government..IaaS:
There..is..a..significant..amount..of..security..benefits..included..with..the..Microsoft..Azure..Governm
ent..IaaS..solution...The..following..outlines..those..benefits..that..are..required..by..SWBTL..LLC:
- Azure..Resource..Manager:..This..solution..enables..the..creation..of..resource..groups..and..t
he..ability..to..manage..resources..within..said..resource..groups...Azure..Resource..Manager
..also..provides..a..tagging..feature..to..identify..resources..belonging..to..resource..groups.
Update with Complete Solution
Jordan McCready
Student ID#: 010287766
D485 Cloud Security
DGN1 Task 1
Cloud..Security..Implementation..Plan
A. Executive..Summary
SWBTL..LLC’s..Microsoft..Azure..cloud..environment..displays..many..security..concerns..and..does
..not..align..with..the..company’s..business..requirements...The..following..outlines..the..gaps..betwe
en..what..is..evident..in..the..company’s..security..environment..and..the..company’s..business..requi
rements:
1. Compliance..with..applicable..regulations..and..standards:..SWBTL..LLC..currently..has..cont
racts..with..the..U.S...government..in..addition..to..processing..card..transactions..on..a..daily..
basis...Therefore,..the..company..must..comply..with..the..Federal..Information..Security..Mo
dernization..Act..(FISMA)..and..the..Payment..Card..Industry..Data..Security..Standard..(PCI..
DSS)...Currently,..SWBTL..LLC..does..not..comply..with..these..regulations..in..their..existing..
cloud..environment.
2. Azure..Resource..Groups..and..Azure..Role-
Based..Access..Control..(RBAC):..SWBTL..LLC..has..a..business..requirement..that..departm
ental..resources..should..only..be..accessed..by..the..respective..department’s..users...This..r
equirement..aligns..with..the..principle..of..least..privilege...However,..the..cloud..environment.
.does..not..adhere..to..this..concept..in..its..current..state.
3. Azure..Key..Vaults..and..Encryption..of..data-at-rest..and..data-in-
transit:..There..are..no..services..spun..up..to..encrypt..data..at..rest..or..data..in..transit...Azure
, ..Key..Vaults..can..be..used
to..secure..encryption..keys..when..implementing..the..Azure..Disk..Encryption..and..Azure..S
QL..Database..TDE..services..for..data..at..rest...Data..in..transit:..Azure..Key..Vaults..enforces
..transport-level..encryption..to..protect..data..between..Azure..Key..Vault..and..clients.
4. Backups:..SWBTL..LLC..has..business..requirements..pertaining..to..backups...These..requi
rements..include..the..frequency..and..retention..of..those..backups..as..well..as..the..recover
y..objectives..of..those..backups...There..is..no..policy..or..other..configurations..in..place..that
..adhere..to..these..business..requirements.
5. Vulnerability..Scanning:..The..scope..of..vulnerability..scans..are..outdated..and..it’s..unknow
n..if..the..scans..include..the..cloud..environment.
Overall,..SWBTL..LLC’s..cloud..environment..is..lacking..the..necessary..security..controls..to..fulfill..it
s..business..requirements..and..comply..with..regulations..and..standards...The..company..needs..to..
take..the..appropriate..corrective..actions..in..securing..the..cloud..environment.
B. Proposed..Course..of..Action
The..proposed..course..of..action..for..SWBTL..LLC..consists..of..implementing..Microsoft’s..Azure..G
overnment..Infrastructure..as..a..Service..(IaaS)..solution...This..solution..provides..the..company..wit
h..a..FedRAMP/FedRAMP+..authorized..product..that..is..also..DoD..Impact..Level..(IL)..5..authorized
...In..addition,..this..service..model..meets..the..company’s..requirements..of..allowing..deployment..a
nd..control..of..multiple..operating..systems,..virtual..machines,..and..custom..applications..that..can..
be..supported..by..compute,..storage,..and..network..resources..on..demand.
Applicable..regulatory..compliance..directives..include..the..following:
- Federal..Information..Security..Modernization..Act..(FISMA):..As..a..U.S...governmen
t..contractor,..SWBTL..LLC..needs..to..comply..with..information..security..standards..
and
, guidelines..required..by..FISMA,..including..those..standards..developed..by..the..National..I
nstitute..of..Standards..and..Technology..(NIST)..(NIST,..2016)...The..Federal..Risk..and..Aut
horization..Management..Program..(FedRAMP)..leverages..NIST..standards..to..provide..st
andardized..security..requirements..for..cloud..services..(FedRAMP,..n.d.)...The..Microsoft..
Azure..Government..cloud..solution..maps..their..controls..to..NIST..SP..800-
53..Rev...5..controls..to..maintain..compliance..and..authorization..by..FedRAMP..(Microsoft,.
.2024)...In..addition..to..the..FedRAMP..security..controls,..the..Department..of..Defense’s..(D
oD)..Defense. . Information..Systems..Agency..(DISA)..develops..and..maintains..the..DoD..
Cloud..Computing..Security..Requirements..Guide..(SRG)...Compliance..with..these..SRG..
and..DoD..FedRAMP+..controls..award..cloud..solutions..a..DoD..provisional..authorization..
status...In..the..case..of..the..Microsoft..Azure..Government..solution,..it..is..designated..as..D
oD..IL..5..(Microsoft,..2023).
- Payment..Card..Industry..and..Data..Security..Standard..(PCI..DSS):..PCI..DSS..is..applicable
..to..any..entity..that..stores,..processes,..and/or..transmits..cardholder..data...As..noted..in..the
..Company..Overview..and..Requirements..document,..SWBTL..LLC..processes..card..trans
actions..on..a..daily..basis...With..that..said,..PCI..DSS..applies..to..SWBTL..LLC...The..compa
ny..must..implement..security..best..practices..that..cover..technical..and..operational..system
..components..pertaining..to..the..processed..transactions..(PCI..Security..Standards..Counci
l,..2018).
Security..Benefits..of..Microsoft..Azure..Government..IaaS:
There..is..a..significant..amount..of..security..benefits..included..with..the..Microsoft..Azure..Governm
ent..IaaS..solution...The..following..outlines..those..benefits..that..are..required..by..SWBTL..LLC:
- Azure..Resource..Manager:..This..solution..enables..the..creation..of..resource..groups..and..t
he..ability..to..manage..resources..within..said..resource..groups...Azure..Resource..Manager
..also..provides..a..tagging..feature..to..identify..resources..belonging..to..resource..groups.
