Google Cloud Platform Virtual Private Cloud Similarly, for GCP, the following security policies related to networking in the CIS Google Cloud Platform are recommended: For each control, the CIS benchmarks provide detailed instructions on why the policy is recommended, as well as the rationale. For example, for 3.1 Ensure that the Default Network Does Not […]
Preparing to assess network, infrastructure, and resource controls – Walk-Through – Assessing Policy Settings and Resource Controls
Preparing to assess network, infrastructure, and resource controls From Chapter 4, Network, Infrastructure, and Security Controls, to Chapter 6, Tips and Techniques for Advanced Auditing, we learned about some of the network, infrastructure, and resource controlsavailable to enterprises across the three major cloud providers. As a reminder, we’ve only covered a subset of the various […]
Assessing network and firewall settings – Walk-Through – Assessing Policy Settings and Resource Controls
Assessing network and firewall settings With network and firewall settings, it’s important to have clarity of environment isolation requirements, which resources are deployed in an environment, network traffic requirements, and governance over routing tables and defining subnets. For our walk-through in this section, our control testing will determine whether traffic logging and alerting have been […]
Assessing resource management policies – Walk-Through – Assessing Policy Settings and Resource Controls
Assessing resource management policies Within cloud environments, there are several different types of resource controls. One type, the ability to manage billing and cost controls, not only has a financial impact but also has technical implications as well. In many cases, these controls may define a hierarchy of who can add additional compute resources, how […]
Assessing data security policies – Walk-Through – Assessing Policy Settings and Resource Controls
Assessing data security policies Data within an enterprise may be one of the most essential assets that an organization owns, and ensuring that any sensitive data is properly protected through means such as encryption, data masking, and logging of changes to data are likely to be critical controls. In this walk-through, we’ll look at assessing […]
Preparing to assess change management controls – Walk-Through – Assessing Change Management, Logging, and Monitoring Policies
Preparing to assess change management controls As we covered in Chapter 5, Financial Resource and Change Management Controls, obtaining a thorough understanding of where logging and history can be found for changes performed is critical to determining which areas within a cloud environment should be scoped for audit. Chapter 5, Financial Resource and Change Management […]
Assessing audit and logging configurations – Walk-Through – Assessing Change Management, Logging, and Monitoring Policies
Assessing audit and logging configurations Logs are files that detail all the events that occur within the cloud. Logs can show deviations from expected activity, giving visibility of potential security issues. Different log types include application, server, access, network logs, and so on. Logging is a practice that enables you to collect and correlate log […]
Assessing change management and configuration policies 3 – Walk-Through – Assessing Change Management, Logging, and Monitoring Policies
Policy Sentry Another tool that an IT auditor can use to monitor changes in Identity and Access Management (IAM) is an open source solution named Policy Sentry. Policy Sentry is a great tool to manage IAM entities. Policy Sentry also has functionality as an audit and analysis database. It compiles database tables based on AWS […]
Assessing change management and configuration policies – Walk-Through – Assessing Change Management, Logging, and Monitoring Policies
Assessing change management and configuration policies As we covered in Chapter 5, Financial Resource and Change Management Controls, in the cloud, automation is embedded into change management processes. Leveraging automation reduces the opportunity for manual IT control failures. Organizations need to ensure that there are safeguards within the automated process that enforce separation of duties, […]
Assessing change management and configuration policies 2 – Walk-Through – Assessing Change Management, Logging, and Monitoring Policies
Azure Automation Another tool that organizations use for change and configuration management is Azure Automation. Azure Automation allows an organization to automate changes in the Azure environment and across external systems. You first need to create an Automation account before using Azure Automation. To launch Azure Automation, use the following steps: A useful feature for […]