Google Cloud Platform Virtual Private Cloud Similarly, for GCP, the following security policies related to networking in the CIS Google Cloud Platform are recommended: For each control, the CIS benchmarks provide detailed instructions on why the policy is recommended, as well as the rationale. For example, for 3.1 Ensure that the Default Network Does Not […]
Category: Overly permissive access
Assessing resource management policies – Walk-Through – Assessing Policy Settings and Resource Controls
Assessing resource management policies Within cloud environments, there are several different types of resource controls. One type, the ability to manage billing and cost controls, not only has a financial impact but also has technical implications as well. In many cases, these controls may define a hierarchy of who can add additional compute resources, how […]
Assessing audit and logging configurations – Walk-Through – Assessing Change Management, Logging, and Monitoring Policies
Assessing audit and logging configurations Logs are files that detail all the events that occur within the cloud. Logs can show deviations from expected activity, giving visibility of potential security issues. Different log types include application, server, access, network logs, and so on. Logging is a practice that enables you to collect and correlate log […]
Assessing change management and configuration policies – Walk-Through – Assessing Change Management, Logging, and Monitoring Policies
Assessing change management and configuration policies As we covered in Chapter 5, Financial Resource and Change Management Controls, in the cloud, automation is embedded into change management processes. Leveraging automation reduces the opportunity for manual IT control failures. Organizations need to ensure that there are safeguards within the automated process that enforce separation of duties, […]
Policies for resource management – Financial Resource and Change Management Controls
Policies for resource management To ensure that cloud resources (particularly when using IaaS and PaaS services) align with operational and security policies, it’s often necessary to leverage technical policies to enforce these within a cloud environment. These technical policies allow organizations to configure a technical template of standards that the cloud resources are either configured […]
Performing changes – Financial Resource and Change Management Controls
Performing changes Beyond using policies and tags to control compliant management of resources, these same features, along with others, may be used to restrict changes. Each of the cloud providers offers a way of grouping resources together for ease of classification. Both at a group and individual level, settings can be applied to lock the […]
Change history – Financial Resource and Change Management Controls
Change history As an auditor, one method that may be used to correlate processes and procedures that mitigate risk is to review activity logs. In cloud environments, these logs may be made up of separate sign-in and event logs that are capturing change history and actions performed by user accounts, service accounts, or workload identities. […]
Financial billing and cost controls – Financial Resource and Change Management Controls
Financial billing and cost controls In a cloud environment, setting up services can be as easy as providing a credit card number. Although this provides the benefit of making cloud services easy to enable and consume, this also adds risk in terms of business continuity (what if the credit card holder leaves the company?), as […]
Common pitfalls – Tips and Techniques for Advanced Auditing
Common pitfalls With the scale, speed, and flexibility of the cloud comes complexity. This complexity leads to inherent pitfalls. We will review two broad areas that are common pitfalls for organizations that the IT auditor should be aware of. The first area involves administrative pitfalls that include not managing resource usage, an inability to control […]
Overly permissive access – Tips and Techniques for Advanced Auditing
Overly permissive access Cloud environments usually include both human and non-human identities. Cloud environments are often created with overly broad permissions that allow unregulated access to cloud resources. Threat actors who have managed to get initial entry into a cloud environment might be able to leverage these broad permissions to escalate access and move laterally […]