D485 Cloud Security-2

docx

School

Western Governors University *

*We aren’t endorsed by this school

Course

D485

Subject

Information Systems

Date

Apr 3, 2024

Type

docx

Pages

38

Uploaded by HeyyyJordo

Report
Jordan McCready Student ID#: 010287766 D485 Cloud Security DGN1 Task 1 Cloud Security Implementation Plan A. Executive Summary SWBTL LLC’s Microsoft Azure cloud environment displays many security concerns and does not align with the company’s business requirements. The following outlines the gaps between what is evident in the company’s security environment and the company’s business requirements: 1. Compliance with applicable regulations and standards: SWBTL LLC currently has contracts with the U.S. government in addition to processing card transactions on a daily basis. Therefore, the company must comply with the Federal Information Security Modernization Act (FISMA) and the Payment Card Industry Data Security Standard (PCI DSS). Currently, SWBTL LLC does not comply with these regulations in their existing cloud environment. 2. Azure Resource Groups and Azure Role-Based Access Control (RBAC): SWBTL LLC has a business requirement that departmental resources should only be accessed by the respective department’s users. This requirement aligns with the principle of least privilege. However, the cloud environment does not adhere to this concept in its current state. 3. Azure Key Vaults and Encryption of data-at-rest and data-in-transit: There are no services spun up to encrypt data at rest or data in transit. Azure Key Vaults can be used
to secure encryption keys when implementing the Azure Disk Encryption and Azure SQL Database TDE services for data at rest. Data in transit: Azure Key Vaults enforces transport-level encryption to protect data between Azure Key Vault and clients. 4. Backups: SWBTL LLC has business requirements pertaining to backups. These requirements include the frequency and retention of those backups as well as the recovery objectives of those backups. There is no policy or other configurations in place that adhere to these business requirements. 5. Vulnerability Scanning: The scope of vulnerability scans are outdated and it’s unknown if the scans include the cloud environment. Overall, SWBTL LLC’s cloud environment is lacking the necessary security controls to fulfill its business requirements and comply with regulations and standards. The company needs to take the appropriate corrective actions in securing the cloud environment. B. Proposed Course of Action The proposed course of action for SWBTL LLC consists of implementing Microsoft’s Azure Government Infrastructure as a Service (IaaS) solution. This solution provides the company with a FedRAMP/FedRAMP+ authorized product that is also DoD Impact Level (IL) 5 authorized. In addition, this service model meets the company’s requirements of allowing deployment and control of multiple operating systems, virtual machines, and custom applications that can be supported by compute, storage, and network resources on demand. Applicable regulatory compliance directives include the following: - Federal Information Security Modernization Act (FISMA): As a U.S. government contractor, SWBTL LLC needs to comply with information security standards and
guidelines required by FISMA, including those standards developed by the National Institute of Standards and Technology (NIST) (NIST, 2016). The Federal Risk and Authorization Management Program (FedRAMP) leverages NIST standards to provide standardized security requirements for cloud services (FedRAMP, n.d.). The Microsoft Azure Government cloud solution maps their controls to NIST SP 800-53 Rev. 5 controls to maintain compliance and authorization by FedRAMP (Microsoft, 2024). In addition to the FedRAMP security controls, the Department of Defense’s (DoD) Defense Information Systems Agency (DISA) develops and maintains the DoD Cloud Computing Security Requirements Guide (SRG). Compliance with these SRG and DoD FedRAMP+ controls award cloud solutions a DoD provisional authorization status. In the case of the Microsoft Azure Government solution, it is designated as DoD IL 5 (Microsoft, 2023). - Payment Card Industry and Data Security Standard (PCI DSS): PCI DSS is applicable to any entity that stores, processes, and/or transmits cardholder data. As noted in the Company Overview and Requirements document, SWBTL LLC processes card transactions on a daily basis. With that said, PCI DSS applies to SWBTL LLC. The company must implement security best practices that cover technical and operational system components pertaining to the processed transactions (PCI Security Standards Council, 2018). Security Benefits of Microsoft Azure Government IaaS: There is a significant amount of security benefits included with the Microsoft Azure Government IaaS solution. The following outlines those benefits that are required by SWBTL LLC: - Azure Resource Manager: This solution enables the creation of resource groups and the ability to manage resources within said resource groups. Azure Resource Manager also provides a tagging feature to identify resources belonging to resource groups.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
- Azure RBAC: This service factors in access management to resources. The implementation of Azure RBAC restricts access to resources based on need to know (NTK) and can help ensure the principle of least principle is taken into account. - Encryption in Transit: With Azure Storage, you can encrypt data in transit using transport-level encryption, wire encryption, and/or client-side encryption. - Encryption at Rest: With Azure Storage you can also encrypt data at rest using storage service encryption, client-side encryption, Azure SQL Database TDE, and/or Azure Disk Encryption. - Azure Backup: This solution provides backup services where authorized users can backup and restore virtual machines, files, folders, SQL databases, etc. This service is essential to ensure any lost data can be restored securely after any accidental destruction (Microsoft, 2022). Security Challenges of Microsoft Azure Government IaaS: Although there are numerous security benefits pertaining to the Microsoft Azure Government IaaS solution, one major security challenge includes the misconfiguration of security controls in the cloud environment. There is a shared responsibility between the cloud service provider (CSP) and the customer when it comes to the implementation of security controls (Sisodia & Khan, 2022). This raises the importance for the customer to properly implement security controls to industry best practices and ensure those controls are tested for quality assurance. If the security controls are not properly implemented, this could potentially lead to detrimental effects regarding the confidentiality, integrity, and availability of the cloud environment. C. Role-Based Access Control
The following three recommendations can be implemented for RBAC: 1. To implement the principle of least privilege, SWBTL LLC’s Accounting Department should not have access to the IT or Marketing Department’s resources. The IT and Marketing Department should also only have access to the respective departments’ resources. 2. To implement the principle of least privilege, the Microsoft Azure Government IaaS cloud solution has built-in roles, such as “Contributor”, that can be applied to the departments. 3. These roles and the departmental users that are assigned to these roles should be reviewed and updated on a regular basis, in accordance with regulatory timeframes. The following screenshots display the full steps on how to configure RBAC for the IT Department starting at the Resource Groups area. Then, these step will be repeated for the Accounting and Marketing Departments:
IT Department:
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Accounting Department:
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Marketing Department:
D. Encryption Two best practices to implement in relation to Azure Key Vaults includes the following: - Resource Group Isolation: Each Resource Group will have their own dedicated Key Vault and only users who have access to those Resource Groups will have access to their respective departmental Key Vaults. - Key Rotation Policy: A policy should be configured to auto-generate new keys after a certain timeframe. This policy ensures the company’s encryption keys remain secure. Two recommendations for how the Key Vaults can be used to encrypt both data at rest and data in transit are as follows: - Data at rest: Azure Key Vaults can be used to secure encryption keys when implementing the Azure Disk Encryption and Azure SQL Database TDE services for data at rest. - Data in transit: Azure Key Vaults enforces transport-level encryption to protect data between Azure Key Vault and clients. The following screenshots display the full steps on how to configure Key Vaults for the Accounting Department starting at the Resource Groups area. Then, these step will be repeated for the IT and Marketing Departments:
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Accounting Department:
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
IT Department:
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Marketing Department:
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
E. Backups Configuration of File Backup Settings: - The creation of a new backup policy includes the following: - Policy Name: SWBTL - Recovery Point Objective (RPO): 1 day - Time Conducted: 7 p.m. Eastern Time (ET) - Recovery Time Objective (RTO): 36 hours - Retention: - Instant Recovery Snapshots: 3 days - Daily Backup Points: 45 days
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
The above configurations align with the company’s business requirements. The following is stated in the company’s requirements documentation: - IT Department is responsible for performing and verifying backups - All cloud servers have a RPO of 1 day - Backups conducted daily at 7 p.m. ET - RTO of 36 hours - Instant recovery snapshots maintained for 3 days - Daily backup points maintained for 45 days - Backup policy named SWBTL
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
F. Security Responsibilities An excellent benefit of choosing the Microsoft Azure Government IaaS cloud solution is that it is FedRAMP authorized. There is a FedRAMP document called the Control Implementation Summary (CIS) and Customer Responsibility Matrix (CRM). This document delineates the security responsibilities of the CSP, in this case Azure, and the customer, SWBTL LLC. With an IaaS cloud solution, SWBTL LLC will have a lot more responsibilities pertaining to security controls in respect to Platform as a Service (PaaS) and Software as a Service (SaaS) solutions. The following are three risks that could be assumed by SWBTL LLC when it comes to an IaaS service model: - One risk is the company thinking that the security controls are fully inherited by the CSP, Microsoft. This is far from the truth, and relying on the CSP solely can lead to security gaps and noncompliance issues which can have a major impact on the company. - A second risk includes the company not knowing what their responsibilities are when it comes to security controls. This can lead to, again, security gaps and noncompliance issues which can have a major impact on the company. - A third risk is that the company may think it will be easy to implement these security controls and anyone from their workforce can do that. This could cause a problem such as the company becoming aware that they do not have the staff with the expertise necessary to implement the controls. Or rather, the company settles for using staff that does not necessarily have the background to handle the role. This risk could lead to the company needing to hire dedicated resources or worse, trusting non-professionals to implement the security controls. This risk ranges from a low to a high impact depending on the route the company takes.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
The following are three recommendations to ensure compliance with the company’s cloud security posture: - Encrypting data at rest and in transit: It is essential to encrypt data at rest and in transit, especially cardholder data. SWBTL LLC processes transactions and needs to encrypt this data to remain PCI DSS compliant (PCI Security Standards Council, 2018). - Access control policy: SWBTL LLC should implement RBAC that exemplifies the principle of least privilege. This method of implementing access control will ensure the company is FISMA and NIST compliant. - Security audits and compliance checks: SWBTL LLC should perform internal audits and compliance checks to ensure there are no gaps in their security posture. The company could also outsource this to a Third-Party Assessment Organization (3PAO) (Martin, 2022). G. Threats and Countermeasures The following are three threats that have a potential to impact the company’s updated cloud solution, along with the respective threat mitigation countermeasures: - Unauthorized Access to Data: The insider and outsider threats of unauthorized access to data can create misalignment with the NTK principle and the confidentiality pillar of the CIA triad. This threat can result in a data breach, can cause reputational damage to the company, and could lead to financial penalties. Mitigation countermeasures to minimize this threat includes the combination of security tools and access control policies. A web application firewall (WAF) can block access to a cloud environment based on IP, location, and other parameters. The configuration of RBAC implements the principle of least privilege. This principle gives the users of the company only the amount of access needed to perform the job functions.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
- Distributed Denial of Service (DDoS) Attacks: A DDoS attack can affect the availability of the cloud environment by sending a flood of requests over by a malicious entity. A mitigation countermeasure to minimize this threat could also be the implementation of a WAF. You configure the WAF to block the source of the flood requests based on examining where the requests are coming from. - Cloud Misconfigurations: Cloud environments are complex and not having experts to secure your environment can lead to detrimental effects. Inadvertent misconfigurations can lead to both of the previous threats mentioned. A mitigation countermeasure to minimize this threat would be to perform security audits and compliance checks to ensure any gaps in your security posture are resolved.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
F. Sources FedRAMP. (n.d.). Program Basics | FedRAMP.gov . Www.fedramp.gov. https://www.fedramp.gov/program-basics/ Martin, C. (2022, March 23). An Integrated Approach to Security Audits . ISACA. https://www.isaca.org/resources/news-and-trends/industry-news/2022/an-integrated- approach-to-security-audits#:~:text=Adopting%20an%20Integrated%20Approach%20to %20IT%20and%20Security%20Auditing&text=This%20requires%20audits%20to %20help Microsoft. (2022, November 15). Introduction to Azure security . Learn.microsoft.com. https://learn.microsoft.com/en-us/azure/security/fundamentals/overview Microsoft. (2023, April 4). Department of Defense Impact Level 5 - Azure Compliance . Learn.microsoft.com. https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-dod-il5 Microsoft. (2024, February 6). Regulatory Compliance details for NIST SP 800-53 Rev. 5 (Azure Government) - Azure Policy . Learn.microsoft.com. https://learn.microsoft.com/en- us/azure/governance/policy/samples/gov-nist-sp-800-53-r5 NIST. (2016, November 30). FISMA Background - NIST Risk Management Framework | CSRC | CSRC . CSRC | NIST. https://csrc.nist.gov/projects/risk-management/fisma- background
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
PCI Security Standards Council. (2018). PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.2.1 For merchants and other entities involved in payment card processing . https://listings.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf Sisodia, J., & Khan, M. (2022, September 9). The Customer’s Responsibility in the Cloud Shared Responsibility Model . ISACA. https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2022/the-customers- responsibility-in-the-cloud-shared-responsibility-model
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

CYB400_Presentation_Preview_Adrienne_Johnston.docx
Cyb400_Project_Two_Talking_Points.docx
CYB420_Project_Management_Adrienne_Johnston_FINAL.docx
Cyb400_Project_Two_Talking_Points_FINAL_Adrienne_Johnston.docx
QSO640_Final_Project_Adrienne_Johnston01.docx
D482 Secure Network Design.docx
D486 GRC.docx
Diamond Model of Intrusion Analysis.docx
Ana Daste- EDLD 5345 Week 2 Assignment.pdf
4-2 Lab_Cardinality and Targeted Data.docx
MD2Assign1GrantA.docx
ASSIGNMENT 5 CASE STUDY.docx