IAM Audit

• What you audited: IAM in a Private Cloud

Basic
• Overall Rating: Strong
Info
• Number of findings: 4

CIS 8086: Protecting Information Assets Page 2

 Ensure renting hardware and software from
CSP to deliver a service over a network.
▪ CRITERIA: Before transitioning to the cloud, you must examine your CSP by
comparing your needs to the services offered by your prospective CSP.

▪ CONDITION: HR Benefits system housed in a country with no data privacy laws

▪ CAUSE: Applications run in the cloud should conform to best practice guidance and
guidelines for assessment and ongoing management of vulnerabilities.

▪ EFFECT This can result in abuse of cloud services, insufficient due diligence, insecure
APIs, or data breach.

▪ RECOMMENDATION: The three main points of information security is confidentiality,

integrity, and availability and if a CSP does not uphold these standards, you should
relocate to a service provider who is more secure with data privacy laws .

CIS 8086: Protecting Information Assets Page 3

 Ensure the CSP furnishes continuous cloud
computing service with zero down time.
▪ CRITERIA: The CSP will also ensure that redundant (backup) systems are in-place
resulting in continued (24/7) cloud service.

▪ CONDITION: Given a business heavily depended on eCommerce, ensure CSP

provides 24/7 cloud computing service.

▪ CAUSE: Current CSP does not have operational capability to support business
requirements.

▪ EFFECT: The impact of not having a reliable CSP is significant. Revenue has been
rapidly decreasing resulting in the loss of business. Not only is business impacted but
also the client’s reputation

▪ RECOMMENDATION: Vendor and client agree through a Service Level Agreement

(SLA) that failure to provide continuous cloud computing service will initially result in
monetary deduction for time the service that was not provided and could ultimately
result in cancellation of business relationship

CIS 8086: Protecting Information Assets Page 4

 Ensure that the firewall rule for the cloud environment
where the PROD VM’s resides is set to “Stateful.”
▪ CRITERIA: In a firewall that uses stateful inspection, the network administrator can set the
parameters to meet specific needs. In a typical network, ports are closed unless an incoming
packet requests connection to a specific port and then only that port is opened.

▪ CONDITION: The network administrator discovered that SSH communication packets were
denied because port 22 (SFTP w/ SSH) was closed on the firewall by default. Many of the
VM’s within the PROD environment, were prohibited from completing file transferring
because by default the Secure File Transfer Protocol (SFTP) was denied as traffic through
the firewall.

▪ CAUSE: Improper firewall configuration.

▪ EFFECT: Stateful inspection monitors communications packets over a period of time and
examines both incoming and outgoing packets. Outgoing packets that request specific types
of incoming packets are tracked and only those incoming packets constituting a proper
response are allowed through the firewall.

▪ RECOMMENDATION: Recommend that inbound and outbound packet request (via IP

address) with specific SSH communication to an open port 22, be allowed to pass through
the firewall.

CIS 8086: Protecting Information Assets Page 5

 Ensure that RBAC methods of regulating
access are used to limit administrative VM
access to protect against an outside attacker.
▪ CRITERIA: Ensure that RBAC methods of regulating access are used to limit access.

▪ CONDITION: Given a high profile information system network, establish RBAC.

▪ CAUSE: Improper configuration of discretionary access controls.

▪ EFFECT: The lack of an effective RBAC results in a significant security vulnerability.

The misuse of administrative privileges is a primary method for attackers to spread
inside a target enterprise.

▪ RECOMMENDATION: Establishing separation of duties and offering the least amount

of privilege necessary for users to perform their authorized tasks, are basic rules of
information security that apply to both physical and virtual resources.

CIS 8086: Protecting Information Assets Page 6

 Conclusion
▪ Recommendations
▪ 1) We recommend that…..

CIS 8086: Protecting Information Assets Page 7

 Questions?

CIS 8086: Protecting Information Assets Page 8