Separate production and non-production environments.
Separation of the environments may include:
- Stateful inspection firewalls
- Domain/realm authentication sources
- Clear segregation of duties for personnel accessing these environments as part of their job duties
Apply sanitization routines on data before loading into non-production, and define environmental boundaries. Production workloads should be isolated from the lower environments (e.g., development, testing) when possible.
- Verify if production and non-production environments are appropriately segregated.
- Verify if the segregation is reviewed and managed during change management.
- Verify the classification of data contained in each environment.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.