Proposal — SnowOps "Cloud Secure" Baseline Engagement
Prepared for: {{CLIENT}} ({{CLIENT_CONTACT}}) | Date: {{DATE}}
Prepared by: SnowOps | Package: Baseline "Cloud Secure" [B]
Scoped from: Discovery Audit findings
1. Executive summary
{{CLIENT}} is pursuing {{FRAMEWORK}} with a target of {{DEADLINE}}. Our Discovery Audit of your Azure environment identified the gaps summarized in §4. This engagement delivers a hardened, automated, audit-defensible Azure platform — compliant by construction — across {{SUBS}} subscription(s) and {{ENVS}} environment(s){{AKS}}.
You will own everything we deliver as code in your own repositories. There is no black box and no lock-in.
2. Objectives
- Close the infrastructure + identity gaps the audit surfaced (§4 roadmap).
- Stand up a GitOps delivery pipeline with policy gates on every change.
- Establish the evidence floor for early {{FRAMEWORK}} auditor conversations.
- Hand over an operable platform + runbooks your team (or first platform hire) runs.
3. Scope of deliverables
Each line is a real SnowOps module/asset. Items marked (delivered during engagement) are built/configured for {{CLIENT}} as part of this SOW.
Foundations - Hardened subscription baseline — Management Group, Azure Policy initiative, Defender plans, central Log Analytics (F1 / B3). - Per-client OIDC identity bootstrap — federated service principal, zero long-lived secrets (B2). - Per-environment Terraform state backend with AAD-only access + RBAC (F6 / B4).
Network - Hub-spoke topology, private DNS, NSG flow logs, optional Azure Firewall (F2).
Compute & registry {{AKS}} - Private AKS with Workload Identity + Kyverno policy floor (F3 / D4) (if AKS in scope). - Premium ACR, private endpoint, AAD-only, signed-image enforcement (F4). - Premium Key Vault, RBAC + purge protection + private endpoint (F5). - GitOps platform layer — ArgoCD app-of-apps, cert-manager, ESO, Kyverno (F8).
CI/CD & quality gates - Terraform plan/apply pipeline with OPA policy gate (C1). - Container build → sign → SBOM → scan pipeline (C2). - AKS deploy + smoke pipeline (C3) (if AKS in scope). - Pre-commit + PR-blocking gates + OPA bundle + branching standard + PR template (D1, D2, D3, C4, R1).
Identity & access - AAD baseline, Conditional Access (MFA mandatory, geo/risk policies), PIM, SP rotation, break-glass + sign-in alerting (H1, H2, H3, H5, H7).
Evidence floor (delivered during engagement — M2b) - Compliance snapshot artifact emitted on every deploy (E0).
4. Findings → roadmap (from your Discovery Audit)
{{ROADMAP}}
5. Timeline & milestones
Target delivery: 4–6 weeks (driven by {{DEADLINE}}).
| Wk | Milestone | Acceptance |
|---|---|---|
| 1 | Foundations: identity (B2), subscription baseline (F1/B3), state backend (F6/B4) | terraform apply clean; OIDC round-trip works; state backend live |
| 2 | Network (F2) + Key Vault (F5) + ACR (F4) | Private endpoints resolve; public access denied |
| 3 | AKS (F3) + Kyverno (D4) + GitOps (F8) (if AKS) | Cluster private; unsigned image rejected; policies enforced |
| 4 | CI/CD pipelines (C1–C3) + quality gates (D1–D3, C4, R1) | PR → plan → gate → apply demonstrated |
| 5 | IAM bundle (H1–H3, H5, H7) | MFA enforced; PIM active; break-glass alert fires |
| 6 | Evidence floor (E0) + handover + runbooks | Snapshot emitted; client team walkthrough complete |
6. Commercial
| Project fee | {{PROJECT_FEE}} (fixed price) |
| Managed retainer | {{RETAINER}}/month — drift detection (S1/S2), evidence (E0), posture upkeep, module updates, support SLA |
| Payment | 50% on signature, 50% on delivery acceptance (§7) |
| Term | Retainer: 12-month initial, 30-day notice thereafter |
Pricing per Y2. Finalize before send.
7. Acceptance criteria
Delivery is accepted when: - [ ] Every §3 in-scope deliverable is applied to {{CLIENT}}'s environment and its module test/runbook passes. - [ ] A PR demonstrates the full plan → policy-gate → apply loop. - [ ] MFA + PIM enforced; no long-lived cloud secrets remain. - [ ] The compliance snapshot (E0) emits on a deploy. - [ ] Handover walkthrough completed; runbooks delivered.
8. Assumptions
- {{CLIENT}} provides an Azure subscription + GitHub org with admin access.
- {{GREENFIELD}} environment (brownfield import = F12, M3 — note if applicable).
- Entra ID P1/P2 licensing available where required (CA risk policies, PIM).
- Timely access to a technical point of contact for reviews.
9. Out of scope
- Formal evidence-platform (Vanta/Drata) integration, SIEM, vendor risk, HR security, trust center → Advanced package.
- Application-layer security, penetration testing.
- AWS/GCP (roadmap M5); Azure DevOps CI (roadmap M3).
- The {{FRAMEWORK}} auditor's fee and the certificate itself (issued by the auditor, not SnowOps).
10. Why SnowOps
Everything is code, tested and yours. Compliant by construction. We prove the gap before you pay (the free audit), and we de-risk your first platform hire rather than compete with it. See capabilities.
This proposal is governed by the SnowOps MSA + SOW (Y12). Valid 30 days from {{DATE}}.