Network controls
Virtual networks in the cloud are exposed to the internet by default. As a result, they can be susceptible to attacks such as denial-of -service attacks or data exfiltration among others. It is critical to ensure network controls have been configured securely to protect cloud resources from unauthorized access or attack.
The basic network control in the cloud is the security group, which represents a virtual firewall for your instance/server/virtual machine. You can use a security group to manage inbound and outbound network traffic to your instance/server/virtual machine.
In traditional networks, network traffic is protected via a dedicated network firewall. A network firewall is essentially the barrier that sits between a private internal network and the public internet. The network firewall’s main purpose is to allow traffic in from authorized sources and to keep malicious traffic out. In contrast, in the cloud, instead of having a dedicated network firewall, each instance/ server/virtual machine is associated with a security group.
Cloud misconfiguration is one of the top security risks in the cloud. Cloud misconfiguration refers to any errors or gaps sustained while constructing a cloud environment that could pose a security risk. One of the most common misconfigurations relating to networks is a security groups rule allowing for unrestricted Secure Shell (SSH) access (for example, 0.0.0.0/0 on port 22). This simple configuration error allows an attacker to attempt remote server access from anywhere with internet access.
To mitigate bad actors from accessing an organization’s data, the cloud customer should configure their ports and protocols so that they’re only accessible by trusted IP addresses and networks. For example, remote administration ports such as 22 (SSH) and 3389 (RDP) should only allow access from your private network and not the entire internet (which is specified in security groups as 0.0.0.0/0).
While the cloud service providers have embedded some network security controls into their virtual network resources, it is not enough to rely on the cloud service provider configurations. Many of the cloud service provider network implementations come with default settings that are not inherently secure. These default settings have to be scrutinized closely to ensure they are secure for the cloud customer. Generally, the best way to mitigate attacks is to create secure VPCs, virtual networks, subnetworks, and their associated security groups.
As IT auditors, we have to assess if controls for managing network access have been implemented securely. We will highlight the core network controls we need to examine for each cloud service provider
Amazon Virtual Private Cloud
Several levels of controls can be leveraged to secure Amazon VPCs. We will highlight two main network controls: network access control lists (ACLs) and security groups.
Cloud customers can restrict both inbound and outbound network traffic using network ACLs and/ or security groups. Restricting inbound and outbound network traffic protects the cloud customers’ network against unauthorized access to its resources. An IT auditor needs to ensure network ACLs, security groups, and firewalls have been configured securely.
