As organizations embrace cloud computing, cybersecurity practices continue to evolve. A robust cloud security posture protects assets from bad actors and helps organizations realize the benefits of cloud computing. In this task, you will assume the role of cloud security engineer for SWBTL LLC. You have been hired following the departure of a disgruntled employee who left behind no documentation and created cybersecurity concerns.

You will analyze the current environment, using the lab environment web link and the "Company Overview and Requirements" attachment, making recommendations and implementing configuration changes in alignment with regulatory and business requirements. The analysis should also include shared responsibilities, risks, threats, and countermeasures. The chief information officer has requested a walk-through of the environment with demonstrations of security misalignments, updated configurations, and how the updates meet compliance requirements.

In your lab instance, you will be provided accounts on the right-hand side that correspond to the specific job roles. Use only those accounts to complete task. You may see other accounts or groups in the lab, but those should not be used.

REQUIREMENTS

Your submission must be your original work. No more than a combined total of 30% of the submission and no more than a 10% match to any one individual source can be directly quoted or closely paraphrased from sources, even if cited correctly. The similarity report that is provided when you submit your task can be used as a guide.

You must use the rubric to direct the creation of your submission because it provides detailed criteria that will be used to evaluate your work. Each requirement below may be evaluated by more than one rubric aspect. The rubric aspect titles may contain hyperlinks to relevant portions of the course.

Tasks may not be submitted as cloud links, such as links to Google Docs, Google Slides, OneDrive, etc., unless specified in the task requirements. All other submissions must be file types that are uploaded and submitted as attachments (e.g., .docx, .pdf, .ppt).

A.Provide an executive summary of the company's current security environment based on the business requirements given in the "Company Overview and Requirements" document.

B.Describe a proposed course of action for a secure Azure cloud solution for the company, based on the given scenario, and include the following in your description:

identification of the service model

applicable regulatory compliance directives

security benefits and challenges of transitioning to this service model

C.Analyze the current state of role-based access controls in the cloud lab environment for the marketing, accounting, and IT resource groups.

1.Discuss three recommendations for role-based access controls that can be configured in alignment with the principle of least privilege based on the business requirements in the given scenario.

2.Configure the role-based access controls in alignment with your given recommendations in part C1 and provide a screenshot for each of the updated configurations. The screenshots must be clear and show the full view of your screen, including the date and time.

D.Analyze the existing Azure Key Vaults in the cloud lab environment focusing on encrypting data in transit and data at rest for the marketing, accounting, and IT resource groups.

1.Implement two best practices for Azure Key Vaults applicable to the resource groups listed and in alignment with the given scenario, providing screenshots of your updated access policies for each group. The screenshots must be clear and show the full view of your screen, including the date and time.

2.Explain two recommendations for how the key vaults can be used to encrypt both data at rest and data in transit.

E.Analyze the current state of file backups in the cloud lab environment for the company.

1.Configure two settings for file backups that are in alignment with the given scenario, providing screenshots of your updated configurations. The screenshots must be clear and show the full view of your screen, including the date and time.

2.Explain how the updated configurations from part E1 support the business requirements.

F.Describe the division of security responsibilities between the company and the cloud service provider (Azure), including shared responsibilities if any, for the cloud service model you selected in part B.

1.Discuss three risks assumed by the company for the cloud service model based on the shared responsibilities identified in part F, and include in your discussion the level of impact each risk may have on the company's use of cloud computing resources.

2. Explain three recommendations to ensure compliance with the company's cloud security posture, and include a justification based on industry best practices for each recommendation.

G. Explain three threats that have the potential to impact the company's updated cloud solution, and include in the explanation the threat mitigation countermeasures that could be used to minimize the impact of each threat.

Company Overview and Requirements

SWBTL LLC began as a local document and delivery service in 1977. The small business initially provided 24-7 on-demand local shipping services via van, flatbed, and box truck. Over time, the company has grown due to innovative strategies and successful acquisitions. SWBTL LLC now supports nationwide services and employs over 2,000 professionals.

The organization leverages information technology to enable growth by supporting operations with internally developed and vendor-provided software. All servers and applications have been hosted in four leased data centers in the United States. SWBTL LLC does not own the data centers, and these leased data centers are beginning to constrain logistics activities due to increasing fees, service interruptions, and cybersecurity concerns. Additionally, the company maintains contracts with the U.S. government and processes card transactions daily, so it must comply with regulations such as the Federal Information Security Modernization Act (FISMA) and the Payment Card Industry Data Security Standard (PCI DSS).

These factors, along with growing cybersecurity concerns related to regulatory compliance and an upcoming NIST SP 800-53 assessment, have rapidly forced SWBTL LLC to embrace the Microsoft Azure cloud environment. This provider was selected to support legacy authentication requirements, easily integrate with the existing Active Directory structure, and ensure compatibility for internally developed software as the cloud transition takes place over the next several years. The organization requires a service model that will allow the deployment and control of multiple operating systems, virtual machines, and custom applications that can be supported by compute, storage, and network resources on demand. The initial roles migrating to the cloud environment include the marketing, accounting, and IT resource groups.

The consultant responsible for the migrations became disgruntled and unexpectedly departed for another position. Since the departure, users have reported being able to view data and assets belonging to other teams throughout the company. IT administrators have been unable to verify file and system backups as required since the beginning of the cloud transition. Also, vulnerability scanning boundaries have not been validated in more than two years and may not encompass the Azure instance.

Senior leadership is concerned that the cloud instance may not comply with regulatory requirements, leaving systems vulnerable to exploitation by advanced persistent threats or malicious actors. The chief information officer has created a list of prioritized business requirements and seeks to minimize risk and avoid cyberattacks that have plagued supply chain and logistics operations in recent months. All findings and mitigation actions should be presented to leadership upon completion.

Business Requirements

1. Maintain compliance with applicable regulations and standards to support the success of federal contracts.
2. The company should maintain the ability to provision, configure, and operate cloud virtual servers as needed.
3. The cloud instance should support the encryption of data-at-rest and data-in-transit in accordance with industry standards and regulatory requirements.
4. Each migrating department (Accounting, Marketing, and IT) should have its own Azure Resource Group. Each group should only contain resources associated with the respective department.
5. Each migrating department should have its own Azure Key Vault to help embrace the principle of least privilege.
6. Access policies for all Microsoft Azure Key Vaults should be configured to allow Key Vault Contributor access for departmental users only. For example, the three user instances for accounting should be the only users assigned to this role for the Accounting Key Vault.
7. The IT department is responsible for performing and verifying backups.
8. All cloud servers have a recovery point objective (RPO) of 1 day. Standard backups should be conducted daily at 7p.m. Eastern Time (ET) on all servers to meet the company's recovery time objective (RTO) of 36 hours.
9. Instant recovery snapshots should be maintained for 3 days, and the daily backup points must be maintained for 45 days.
10. All virtual machines may be backed up using a single Recovery Vault, but a new backup policy named SWBTL should be created to ensure proper configurations.
11. Tags can be used throughout the environment to identify resources belonging to each department..