Case Study

Zero Trust & DR on Azure

From fragmented posture to a secure, repeatable deployment pattern aligned to EO 14028 and NIST 800-53 Rev 5.

71 → 0

POA&Ms

1.53 → 3.00

Zero Trust maturity target

< 60 min

Infra deploy via Terraform

0 critical/high

CSA findings

Snapshot

Client

U.S. Department of Health & Human Services (HHS)

Industry

Federal – Health & Human Services

Compliance

NIST 800-53 R5 • EO 14028 • FedRAMP

Mission & Challenge 

HHS required continuity of services for the Human Resources Management Enterprise Services Bus (HRMESB) on Azure while measurably improving cyber resilience. The mandate: reduce inherited POA&Ms, enable disaster recovery in a target region, and move to a secure, repeatable deployment pattern – minimizing tenant-wide permissions and modernizing legacy SFTP.

What We Did

Fix

  • Resolved legacy POA&Ms with evidenceable remediation steps.
  • Hardened baselines and IAM; standardized RBAC.
  • Centralized logging and alerting for faster issue triage.

Fortify

  • DR target-region and operational runbooks.
  • Terraform for consistent, environment-based deployments.
  • Replaced VM-based SFTP with Azure Blob SFTP and event-driven processing.

Future-Proof

  • Zero Trust roadmap aligned to HHS priorities.
  • User-Assigned Managed Identity (UAMI) per environment to enforce least privilege.
  • Defender for Cloud coverage and alerting.

71 → 0

POA&Ms

1.53 → 3.00

ZTA

< 60 min

Deploy

0

Crit/High

Impact to Date

  • POA&Ms: Reduced from 71 to 0, tracked in the CSA/evidence log.
  • Zero Trust: Path from 1.53 to 3.00 with mapped control families.
  • Speed & repeatability: Infra spin-up in under 60 minutes using Terraform + GitHub Actions.
  • Quality gates: 0 critical/high CSA findings; standardized pipeline checks.
  • Partner onboarding: Integration pattern reusable across 12 partners.

Tools & Platforms

Entra ID (AAD)

Identity & Access, RBAC

UAMI + Key Vault

Secrets & Least Privilege

Terraform

IaC, Workspaces, Drift Detection

GitHub Actions

CI/CD,  Provenance

Defender for Cloud

Cloud Posture & Alerts

OWASP ZAP

DAST in pipeline

SonarQube

SAST & quality gates

Azure Blob SFTP

VM-free, event-driven

Controls Mapping

  • EO 14028: Supply-chain checks in CI/CD (ZAP/SonarQube), artifact provenance, verifiable gates.
  • NIST 800-53 R5:
  • AC (Access Control): RBAC, UAMI per environment, least privilege
  • CM (Configuration Management): Terraform IaC, pipeline-enforced changes
  • CP (Contingency Planning): DR target-region design and runbooks
  • AU (Audit & Accountability): Centralized logging/alerts, exportable evidence
  • FedRAMP: Inheritance leveraged where applicable; controls tied to runbooks and evidence exports.

Delivery Details

  • Pipelines: GitHub Actions with OWASP ZAP & SonarQube gates; promotion policies by environment.
  • IaC: Terraform with per-environment workspaces; drift detection and documented change history.
  • Observability: Centralized logs/dashboards; alert routing; compliance-ready evidence exports.
  • Runbooks: DR failover procedure, onboarding/offboarding, and control evidence collection.
View commercial price list
Download capability statement