Versions Compared

Version Old Version 17 New Version Current
Changes made by

Hein van Schaik

Hein van Schaik

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Microsoft Azure

Amazon Web Services

Security patches

  • Software updates to resolve security vulnerabilities (“security patches”) will be made available according the following timelines:

  • CVSS scores of 9 and above (Critical): immediately

  • CVSS scores of 7 and above (High): next release (3 weeks)

  • CVSS scores between 4 and 7: within 3 releases (nine weeks)

  • CVSS scores below 4: best effort.

Idem.

Vulnerability scanning - methods in use

  • Monthly XX

  • CIS benchmark scanning

Passwords

Microsoft Azure

Amazon Web Services

Full range of ASCI characters

Password length (min/max)

8/128

Password renewal

After 4 months

Password re-use

After 3

Mandatory use of capital

Yes

Mandatory use of special character

Yes

Mandatory use of number

Yes

Password block/lock out

Yes (10 attempts)

Password lock-out time

10 minutes

Logging of lock-outs, log outs, login attempt (successfull/failed)

??

Hashed & salted

Yes

Transport via encrypted channel

Yes

(Host) Intrusion detection monitoring (e.g. malware protection)

  • Office equipment (e.g. laptops, workstations)

    • XXX

  • MSTCS2C

    • Microsoft Azure

      • Supported:

        • Anti-virus & threat protection in Windows Security. It runs different types of scans and gets the latest protection offered by Microsoft Defender Antivirus.

          • Code ??

          • Data ??

          • Files ??

          • Upload/download ??

      • Not supported

        • Intrusion detection system (IDS)

        • Anti-malware

        • Anti-ransomware

    • Amazon web services

      • XXX

...

  • Network segmentation: Resources are organized in separate virtual or physical networks. Separate access rules are defined per network. The access to the different networks is restricted according to the access control matrix.

  • All private networks are protected with a firewall.

  • Open network ports and allowed protocols are managed through firewall rules.

  • The access rules for allowed ports and protocols are managed by the responsible system administrator of every asset.

  • Only ports and protocols needed for the operation of applications and services are allowed. All other traffic is denied by default.

  • The network and firewall configurations are checked on a regular basis.

  • Remote Access through public networks is done only through encrypted channel (TLS or SSH) 2 for which two options for are allowed:

    • Setup a VPN connection to the private network. Only selected trusted users can do make VPN connections.

    • Configure remote access through Remote Desktop Protocol (RDP) or SSH. In this case the connection should be is allowed only from whitelisted IP addresses. All connection attempts should be are logged in the system event log. The logs should be are checked on a regular basis.

...

Access control security

  • 2FA: not available

  • MSTC S2C has an integrated logical access framework that can segregate access based on roles, screens, activities (CRUD) and organizational dimensions

  • Access is managed through Access Control Lists (ACL). Allow or Deny permissions can be set on selected actions for a given scope. The permissions can be set for individual user or for groups of users.

  • Privileged accounts protection:

    • Supported

      • Multi Factor Authentication

    • Not supported

      • 4-eyes principle: at least two people must be present during activities and this must be auditable.

      • Activities must be conducted from a network and system which has been proven to be secured.

    • ??

      • IP whitelisting, certificates, conditional access checks, VPN

...