Preparing to assess network, infrastructure, and resource controls
From Chapter 4, Network, Infrastructure, and Security Controls, to Chapter 6, Tips and Techniques for Advanced Auditing, we learned about some of the network, infrastructure, and resource controlsavailable to enterprises across the three major cloud providers. As a reminder, we’ve only covered a subset of the various options that are available in order to provide some foundational knowledge. As we covered in Chapter 2, Effective Techniques for Preparing to Audit Cloud Environments, obtaining a thorough understanding of how the enterprise environment is architected and connected is critical to determining which areas within a cloud environment should be scoped for audit.
Having architectural diagrams that indicate areas of integration will highlight whether there are hybrid and/or multi-cloud controls that should be assessed. As we identified in our control walk-through in Chapter 8, Walk-Through – Assessing IAM Controls, based on integration and architecture, a controlmay need to be assessed for effectiveness across more than one enterprise cloud platform to determine whether the control objective is being met for the enterprise. Architectural diagrams showing the flow of data and resources will help to highlight that need. These diagrams should indicate environment tiering (for example, production versus test environments), data flows and sensitivity of the data, encryption, destinations, ports, protocols, and connectivity to external environments not managed by the enterprise.
Another critical component, especially for network, infrastructure, and resource controls within hybrid environments, is determining roles and responsibilities for the management of these components. It is very common that the individuals responsible for managing on-premise network architecture are not the same individuals who are managing this within cloud environments. Walking through the integration diagram with both sets of responsible/accountable individuals will help to provide a more holistic view of the strength of integrated controls from either side.
In the sections that follow, as a prerequisite, you will require a minimum level of view or read access to obtain the test evidence independently. Depending upon your specific organization’s configuration and any additional customizations, you may require additional access rights or group memberships to directly access specific content, or you may be required to work with an administrative point of contact for your organization as you observe them pulling control evidence. For reference, any screenshots in the following sections are based on a user with administrative privileges to the cloud environment.
Now that we have touched on a few points of preparation, let’s perform our first walk-through challenge to assess network and firewall settings within an enterprise cloud environment.