Monitor, encrypt and restrict communications between environments to only authenticated and authorized connections, as justified by the business. Review these configurations at least annually, and support them by a documented justification of all allowed services, protocols, ports, and compensating controls.
Network communications justified by the business should be allowed, encrypted, and require authorization. Conversely, unjustified network communications should be disallowed. Container application-aware network monitoring tools should be leveraged for:
- Automated determination of proper container networking surfaces, including both inbound ports and process-port bindings.
- Detection of traffic flows between containers and other network entities over both wire traffic and encapsulated traffic.
- Detection of network anomalies—such as unexpected traffic flows within the organization’s network, port scanning, or outbound access to potentially dangerous destinations.
- Detection of invalid or unexpected malicious processes—and data they introduce into the environment.
- Examine the policy for communication between environments.
- Examine the criteria for business justification of communication, and reviews.
- Determine if the inventory of allowed communication has been reviewed, at least annually.
- Evaluate the effectiveness of the monitoring and encryption of such communication.
- Evaluate the details of business justification, and its review.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.