Assessing data security policies
Data within an enterprise may be one of the most essential assets that an organization owns, and ensuring that any sensitive data is properly protected through means such as encryption, data masking, and logging of changes to data are likely to be critical controls. In this walk-through, we’ll look at assessing adherence to data security policies in AWS and Azure by checking to see that logging and appropriate levels of encryption have been enabled.
AWS
One primary way to check adherence to data security policies within AWS is by reviewing findings in the AWS Security Hub. To review these findings, we will need to perform the following steps:
- Navigate and log on to the AWS Console.
- Select the Security, Identity, & Compliance service.
- Select Security Hub.
Within the Security Hub report, we can review a list of findings that relate to some of the standards and frameworks that were referenced in Chapter 2, Effective Techniques for Preparing to Audit Cloud Environments. In Figure 9.7, we can see that one of our S3 buckets does not have logging or an alarmfor changes to the policies of the S3 bucket:
Figure 9.7 – AWS EC2 data security findings
An additional review of our S3 buckets to confirm encryption and logging can be done by navigating to the S3 service and selecting a specific S3 bucket and reviewing the bucket properties, as shown in Figure 9.8. Here, we see that encryption and server access logging have been disabled:
Figure 9.8 – AWS S3 bucket properties
Now that we’ve assessed some data security settings in AWS, let’s look at an option for pulling this within Microsoft Azure.
Microsoft Azure
To validate data security settings for logging and encryption controls on our resources, we’ll need to perform the following steps:
- Navigate and log in to the Microsoft Azure portal.
- Navigate to All resources.
- Select the relevant resources; in this case, we’ve selected tsecstorage Storage account.
As shown in Figure 9.9, after selecting the resource, we can see the properties of the resource as part of Overview:
Figure 9.9 – Microsoft Azure Storage account overview
Here, we can see information regarding data security, such as Version 1.2 has been assigned to Minimum TLS version, but Infrastructure encryption is listed as Disabled (note that most cloudproviders store data as encrypted at rest; however, refer back to the concept of shared responsibility covered in Chapter 1, Cloud Architecture and Navigation).
To see additional information on data security for this resource, we can use some of the navigation options on the left side of the portal, as shown inFigure 9.10. Here, we see options for checking additional details on Encryption as well as Data protection:
Figure 9.10 – Azure data security
Upon opening the Encryption blade, we can see that in addition to encryption being disabled, there are no scopes to which it would be applied, as shown in Figure 9.11:
Figure 9.11 – Azure encryption settings and scopes
We’ve now completed our walk-through of data security controls, as well as other policy settings and resource controls.
Summary
In this chapter, we performed a walk-through of basic testing and evidence gathering that can be used for enterprise cloud policy settings and resource controls. We covered preparing to assess network, infrastructure, and resource controls and did some general walk-throughs of the various cloud environments.
In our final chapter, we’ll wrap up our walk-throughs by assessing logs, change management, and monitoring and alerting controls across the cloud providers.