Experimental Cloud Accounts
Security Management Process and Conditions
Introduction
In the interest of fostering innovation and flexibility in the development and demonstration of modern technologies, cloud accounts used for Proof of Concept (POC), Research and Development, Demo, and Practice purposes may reside outside the controlled zone, also known as the TIM Landing Zone.
Purpose
The purpose of these accounts is to provide a flexible environment where users can freely utilize any cloud services, resources, and components without the constraints imposed by stringent security policies and restrictions. This flexibility is crucial for rapidly testing new ideas, conducting research, and practicing without the administrative overhead typically associated with production environments.
Security Policies and Restrictions
Due to their nature, such cloud accounts will not have any security policies or restrictions implemented. This is to ensure maximum flexibility and usability for short-term projects and experiments. However, it is imperative that users exercise caution and follow best practices to prevent any unintentional security breaches or data loss.
Basic Security Controls
To ensure the cloud accounts remain secured while they are used for the above purposes, a list of basic controls must be followed and implemented by anyone who uses such accounts:
- Enable Logging: Across all the cloud services, resources, or components that are used, enable logging so that these can be referred to in case something goes wrong in the environment.
- Private Network Configuration: Always configure cloud services in a private network and avoid configuring any service in a public network. Cloud services that require exposure to the open internet must be published using a Web Application Firewall (WAF), with rules enabled to block malicious traffic. If WAF cannot be used, enable IP-based access to reduce the attack surface.
- Access Control: Always use TechM Domain ID to access the cloud console via GUI and/or CLI. For programmatic access keys or secrets needed for integration with applications or by third parties, restrict access to specific IPs only, and do not allow access from the open internet or larger IP subnets.
- Key Rotation: Rotate local user passwords or programmatic keys every 15 days to minimize misuse due to potential leaks or other issues.
- Configuration and Monitoring: Configure such accounts in TechM CSPM and ensure all identified misconfigurations are fixed immediately. Additionally, configure monitoring of all internet-published web URLs using Up Guard and address all identified vulnerabilities promptly.
- Data Usage: Use only dummy data in such environments. It is crucial to remember that these accounts are specifically designed for experimentation and short-term projects. Using only dummy data helps mitigate the risks associated with data breaches and ensures that no sensitive information is exposed.
- Threat Monitoring: Enable cloud-native threat monitoring services within the cloud accounts and ensure continuous monitoring.
- End Point Protection: It is recommended that all Virtual Machines are protected with adequate security solutions like Antivirus, Antimalware and End Point Detection and Response (EDR).
Subject Matter Expert (SME) Oversight
Ensure a Subject Matter Expert (SME) is available and identified within the team, who will oversee cloud security during the lifecycle of the cloud account. The SME will be responsible for continuous monitoring, compliance with security protocols, and assisting users with any security-related issues or configurations.
Outlined below are the restrictions specific to the TIM Landing Zone, within the Experimental Cloud Accounts, the Subject Matter Expert (SME) is responsible for supervising and ensuring that all configurations are properly safeguarded.
| Category |
TIM Landing Zone |
Experimental Cloud Accounts |
| Perimeter Network Level Firewall |
Managed and controlled by the TIM Team, this firewall monitors and filters inbound and outbound traffic based on predefined security rules, ensuring only legitimate traffic is allowed. |
Completed access to the Cloud Network |
| Controlled Network Connections |
Inbound and outbound network connections from the cloud accounts are strictly controlled by the TIM Team, ensuring all communication is monitored and secure, blocking unauthorized connections. |
Completed access to the Cloud Network. |
| Restricted Exposure to the Open Internet |
Services within the TIM Landing Zone are restricted from being exposed to the open internet without proper authorization, ensuring sensitive services are not publicly accessible and reducing the risk of cyber-attacks. |
Complete access to expose any service to the Open Internet |
| Internet Access |
Internet access is restricted and allowed only on a need-to basis for a limited set of URLs. Category-based Internet access is granted upon review and clearance from ISG. |
Complete access to allow Internet access from any cloud service, resource or virtual machine |
| Configuring Cloud Services in Public Network |
Policies deployed to restrict configuration of any cloud service in Public Network and access is allowed to configure them in Private Network only |
Complete access to configure cloud services in Public Network |
| Access to Marketplace Images |
Highly restrictive access, allowing access only to TechM Standard Images which have undergone vulnerability assessments and fixes applied on a quarterly basis. These images are hardened as per TechM CIS Benchmark and configured with endpoint protection solutions like antivirus, antimalware, and EDR. |
Complete access to Marketplace Images. |
| Restricted Access to IAM Services |
Access to Identity and Access Management services is restricted to authorized personnel within TIM Team, preventing unauthorized users from managing and configuring user roles, permissions, and access controls. |
Complete access to IAM Service. |
| Authorization for New Services |
The use of any new service within the TIM Landing Zone requires prior authorization, ensuring all new services are provisioned only based on requests. Cloud services requiring exception undergoes a security review and approval process before enablement. |
Complete access to enable or disable any cloud service |
Incident Reporting
Immediately notify the ISG Incident Management Team of any security incidents identified in such accounts for further actions and investigations. This notification should be issued as soon as any unusual or suspicious activity is detected, to ensure a prompt response. Incident reports must contain comprehensive details about the incident, including the nature and scope of the breach, affected resources, time of occurrence, and any preliminary remediation steps undertaken to mitigate the impact. Additionally, include any relevant logs, screenshots, or evidence that could assist the ISG team in the investigation and response efforts. The earlier and more detailed the report, the better the ISG team can assist in resolving the issue and preventing future occurrences.
Restrictions on Data
Customer demos or POCs that use actual or live data are strictly prohibited from being executed in these environments. Instead, such activities must be conducted within cloud accounts that are situated inside the controlled zone, which is also referred to as the TIM Landing Zone. This controlled environment ensures that all necessary security measures and compliance protocols are in place, mitigating the risk of data breaches and other security incidents. By hosting demos and POCs with live data in the TIM Landing Zone, we can maintain a higher level of data integrity and security, safeguarding both our customers' information and our infrastructure.
Duration of Use
These accounts are intended to be used only for shorter durations (Limited to maximum of 90 days, and extended duration with exception approval from CISO), strictly when the need arises. Once the objective of the POC, research, demo, or practice is achieved, the accounts should be promptly decommissioned or returned to a controlled state.
Conclusion
By allowing cloud accounts to reside outside the controlled zone for specific purposes, we can significantly enhance our capacity for innovation and development. It is, however, the responsibility of the users to ensure that these accounts are used judiciously and for the intended purposes only.
For any further clarifications or assistance, please reach out to ISG Cloud Security Team.
References
Please refer “ Cloud Security Management Process - Experimental Cloud Environments - ISG-PR026” on BMS for further details.