Microsoft Azure | Amazon Web Services | |
|---|---|---|
Security patches |
| Idem. |
Vulnerability scanning - methods in use |
| |
Passwords | Microsoft Azure | Amazon Web Services |
Full range of ASCI characters | ||
Password length (min/max) | 8/128 | |
Password renewal | After 4 months | |
Password re-use | After 3 | |
Mandatory use of capital | Yes | |
Mandatory use of special character | Yes | |
Mandatory use of number | Yes | |
Password block/lock out | Yes (10 attempts) | |
Password lock-out time | 10 minutes | |
Logging of lock-outs, log outs, login attempt (successfull/failed) | ?? | |
Hashed & salted | Yes | |
Transport via encrypted channel | Yes |
(Host) Intrusion detection monitoring (e.g. malware protection)
Office equipment (e.g. laptops, workstations)
XXX
MSTC
Microsoft Azure
Supported:
Anti-virus & threat protection in Windows Security. It runs different types of scans and gets the latest protection offered by Microsoft Defender Antivirus.
Code ??
Data ??
Files ??
Upload/download ??
Not supported
Intrusion detection system (IDS)
Anti-malware
Anti-ransomware
Amazon web services
XXX
Network traffic/nodes
Microsoft Azure
In every HTTP request returned by the server there is an HTTP header which can help us to identify from which node the request was returned.
Amazon web services
Incident testing (scenario’s)
Penetration testing (twice a year)
Back-up restore testing (twice a year)
Business continuity testing (twice a year)
Secure communication services
Microsoft Azure
Supported:
DNSSec - Domain security
SPF - Protection against email phishing
DKIM - Protection against email phishing
DMARC - Protection against email phishing
STARTTLS - Secure connection between mail servers (via Sendgrid)
IPv4 - Internet Protocol version 4
SAML - Authentication and authorization
Not supported
RPKI - Securing the routing infrastructure
DANE- Secure connection between mail servers
STIX - Sharing of cyber threat information
TAXII - Sharing of cyber threat information
IPv6 - Internet Protocol version 6
Amazon web services
XXX
Communication security ('layered access'/'trusted origin')
Network segmentation: Resources are organized in separate virtual or physical networks. Separate access rules are defined per network. The access to the different networks is restricted according to the access control matrix.
All private networks are protected with firewall. Open network ports and allowed protocols are managed through firewall rules. The access rules allowed ports and protocols are managed by the responsible system administrator of every asset.
Only ports and protocols needed for the operation of applications and services are allowed. All other traffic is denied by default.
The network and firewall configurations are checked on a regular basis.
Remote Access through public networks is done only through encrypted channel (TLS or SSH) 2 options for are allowed:
Setup a VPN connection to the private network. Only selected trusted users can do VPN connections.
Configure remote access through Remote Desktop Protocol (RDP) or SSH. In this case the connection should be allowed only from whitelisted IP addresses. All connection attempts should be logged in the system event log. The logs should be checked on a regular basis.
Time zone/time stamp source
Microsoft Azure
Amazon web services
Ubuntu NTP server is used for system time synchronization. Ubuntu has time synchronization built in and handled by the Network Time Protocol daemon.
Multi/single tenant approach
Microsoft Azure
Single tenant. There is logical separation of resources which is ensured by the allow/deny permissions for a set of actions in the application. The security model is base on Access control lists and role membership.
Amazon web services
Monolithic vs (micro)services architecture
Microsoft Azure
There is a layer architecture in place. The client is an SPA (single page application) based on Angular). The service layer is based on .NET Web API REST services. There are a number of different endpoints available but it’s not a microservice architecture. The application is installed on Virtual Machines (VM) and is hosted in Microsoft Azure. It uses Azure IaaS (Infrastructure as a Service) resources. In general, the deployment architecture is Windows N-tier application which uses SQL Server as a database storage. The documents are stored in Azure Blob Storage service.
Amazon web services
Availability & scalability
Microsoft Azure
Availability of the virtual machines is guaranteed by Microsoft Azure SLA.
All virtual machines are monitored on the following parameters:
CPU usage – should not be above 95% for more than 5 min.
Memory usage – should not be above 95% for more than 5 min.
Network traffic – should be below 20 mbs.
Disk free space – should be above 10%.
If lack of resources is detected during the infrastructure monitoring action will be taken to resize the needed resources in Azure.
Amazon web services
XX
Access control security
2FA: not available
MSTC has an integrated logical access framework that can segregate access based on roles, screens, activities (CRUD) and organizational dimensions
Access is managed through Access Control Lists (ACL). Allow or Deny permissions can be set on selected actions for a given scope. The permissions can be set for individual user or for groups of users.
Privileged accounts protection:
Supported
Multi Factor Authentication
Not supported
4-eyes principle: at least two people must be present during activities and this must be auditable.
Activities must be conducted from a network and system which has been proven to be secured.
??
IP whitelisting, certificates, conditional access checks, VPN
Data retention
XXX