Playbook for CDR Principals to review the cloud infrastructure environment security.
Overview
The CDR Schedule 2, Part 2 requirements include a range of security practices that are often applied by default or by simple configurations in modern cloud infrastructure like AWS, Google Cloud and Azure.
Planning
This playbook is designed for CDR Principals to follow in live observation meetings with their representatives to validate their security requirements with minimal evidentiary burden for both parties. It is recommended this be conducted in a 30-60 minute meeting between the compliance lead of the CDR Principal and a senior representative with administrator access for the cloud environment of the CDR Representative (eg. CTO). The steps below should be captured in a checklist or other form to demonstrate which controls are in place and have been confirmed accordingly.
Steps
The CDR Representative should show on screen the below items in these areas:
1. Access Control
The user access for the infrastructure should:
a. Unique User ID's: Each account has uniquely assigned identification, ie. named for the individuals first name and last name.
b. Role-based Access: Include an assigned role based on the required access (eg. Administrator, Read-only).
c. Administrator Access: Admin access should generally be restricted to less than five individuals, but often more than 1-2, to ensure business continuity. Enquiry should confirm the individuals with Admin access require it based on their required roles.
d. Multi-factor Authentication: MFA is enforced to access the infrastructure.
e. Strong Passwords: The minimum passwords configured meet good practices like minimum 8 characters, complexity settings, and password expiry.
2. Database security
a. Public Access Restricted: Check database(s) are set to prevent public access, and require authentication and access through defined protocols.
b. Encryption at Rest: Encryption is applied to the production database(s) that do / will hold any CDR data.
c. (Optional) Access restricted: If direct access to the production databases is prohibited, check this restriction is applied, with segregation of duties to make changes that would enable access.
3. Network Security
a. Network Firewalls: The network firewall security groups have been configured to default disallow traffic, with defined ports for authenticated access to the network.
b. (Optional) Web Application Firewalls: If implemented, review that web application firewalls are implemented that restrict traffic to what is authorised and valid.
c. Encryption in Transit: All network traffic should enforce TLS encryption in-transit.
d. Server Hardening and Patching: If there are physical servers, containers and/or virtual machines involved, confirm how the hardening and patching is performed and the configuration setting if that is automated by the cloud provider.
4. Logging and Monitoring
a. Vulnerability Scanning: Whether vulnerability scanning solutions are turned on, and any vulnerabilities identified have been assessed, logged and resolved, planned for resolution, or risk accepted. This may be Amazon Inspector, Google Command Centre, or Azure Defender for Cloud, in their respective cloud environments.
b. Audit Logs: Check audit logs are captured including administrator account activity and system events. This may be in CloudWatch and CloudTrail (AWS), Cloud Audit Logs (GCP), or Azure AD (Azure).