Access Management¶

  • Ensure there are internal policies and procedures for managing access to CSP services and compute instances.

    • Obtain a list of users with cloud access, validate their privileges are in line with their role.

    • Obtain the cloud password/certificate/tokens policies, validate through a sample of users that they are compliant (check if there is a way to continuously monitor this) or ideally, federated to existing systems.

    • Validate that access to the cloud is approved by appropriate personnel.

    • Verify that periodic review of cloud users is preformed accurately and completely (e.g. is access updated when employees move between roles or outside of the CSC).

    • Ensure documentation of use and configuration of CSP access controls

  • Ensure there is an approval process, logging process, or controls to prevent unauthorized remote access.

    • Validate logs are complete and accurate. What is in place to demonstrate the logs are complete and accurate? If they do not have proof, you can validate by same testing to see if logs produce expected results.

    • Review process for preventing unauthorized access.

    • Review connectivity between firm network and CSP.

  • Ensure restriction of users to those CSP services strictly for their business function. Review the type of access control in place as it relates to CSP services.

    • CSP access control at a CSP level – using IAM with Tagging to control management of compute instances (start/stop/terminate) within networks.

    • CSC Access Control – using access management (LDAP solution) to manage access to resources which exist in networks at the Operating System/Application layers.

    • Ensure segregation of duties is documented and followed.

    • Network Access control – using CSP virtual firewalls, Network Access Control Lists (NACLs), Routing Tables, VPN Connections, private cloud peering to control network access to resources within CSC owned private cloud.

    • Access to edit/view/delta data – although not administering security, sensitive information still needs privileged access.

    • Ensure the CSP region that hosts resources for CSC data has region-specific certifications.

  • How does the CSC federate identity to the cloud? Is active directory the single source of code? Do they have multi- factor authentication on the root account? Who has the ability to create/delete accounts?

  • Review the access management system (which may be used to allow authenticated access to the applications hosted on top of cloud services) and validate whether it is federated with the cloud systems.

PreviousAWSNextData Security

Last updated