In a world of interconnected systems and environments, it's crucial to ensure that only authorized and authenticated connections are allowed between them. The IVS-03 Network Security control from the CSA Cloud Controls Matrix provides guidance on monitoring, encrypting, and restricting communications between environments. By following this control, organizations can significantly enhance their network security posture and protect their assets from unauthorized access.

Where did this come from?

CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can download the full matrix from https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4.

This control is part of the Infrastructure & Virtualization Security domain, which focuses on securing the underlying infrastructure and virtualization technologies used in cloud environments. It complements other security best practices and standards, such as the CIS Controls and NIST Cybersecurity Framework.

Who should care?

• Network administrators responsible for configuring and maintaining network security controls
• Security architects designing secure network architectures for cloud environments
• Compliance officers ensuring adherence to industry regulations and standards
• DevOps teams deploying applications across multiple environments
• Business stakeholders concerned about the security of their data and systems

What is the risk?

Failure to properly secure network communications between environments can lead to:

• Unauthorized access to sensitive data and systems
• Lateral movement of attackers within the network
• Data breaches and theft of intellectual property
• Compliance violations and regulatory fines
• Reputational damage and loss of customer trust

Implementing the IVS-03 control can significantly mitigate these risks by ensuring that only authorized and encrypted communications are allowed between environments. It helps prevent unauthorized access, detect anomalous network activity, and limit the potential impact of a breach.

What's the care factor?

For organizations operating in regulated industries or handling sensitive data, the care factor for IVS-03 should be high. Compliance with industry standards and regulations often requires strict controls over network communications. Even for organizations not subject to specific regulations, the potential impact of a data breach or unauthorized access should make this control a priority.

However, the level of care may vary depending on the sensitivity of the data and systems involved. A pragmatic approach is to prioritize the implementation of IVS-03 for critical environments and assets, while gradually rolling it out to less sensitive areas.

When is it relevant?

IVS-03 is relevant in scenarios where:

• Multiple environments (e.g., production, staging, development) are interconnected
• Sensitive data is transmitted between environments
• Compliance with industry regulations or standards is required
• The organization has a high risk profile or is a target for cyber attacks

It may be less relevant for isolated environments or networks with limited external connectivity. However, as cloud adoption grows and systems become more interconnected, the relevance of IVS-03 is likely to increase for most organizations.

What are the trade-offs?

Implementing IVS-03 comes with some trade-offs:

• Increased complexity in network configuration and management
• Potential performance impact due to encryption overhead
• Additional time and effort required for monitoring and reviewing network communications
• Possible disruption to business processes during implementation and testing

Organizations need to balance these trade-offs against the security benefits and compliance requirements. Proper planning, testing, and incremental implementation can help minimize the impact on business operations.

How to make it happen?

1. Inventory all network communications between environments
2. Justify and document the business need for each communication
3. Implement encryption for all allowed communications (e.g., using TLS, IPsec, or VPN)
4. Configure network firewalls and access control lists (ACLs) to restrict communications to only authorized and authenticated connections
5. Deploy container application-aware network monitoring tools to:
   • Automatically determine proper container networking surfaces
   • Detect traffic flows between containers and other network entities
   • Identify network anomalies and unexpected traffic patterns
   • Detect invalid or malicious processes and data
6. Regularly review and update the inventory of allowed communications (at least annually)
7. Document and maintain a justification for all allowed services, protocols, ports, and compensating controls

What are some gotchas?

• Ensure that all network devices and endpoints support the required encryption protocols (e.g., TLS 1.2 or higher)
• Properly configure and manage encryption keys and certificates
• Be aware of the performance impact of encryption, especially on high-throughput networks
• Ensure that network monitoring tools can handle encrypted traffic and provide meaningful insights
• Regularly update and patch network devices, monitoring tools, and endpoints to address security vulnerabilities
• Key AWS services and permissions required:
  • Amazon VPC for network segmentation and access control (ec2:CreateVpc, ec2:CreateSubnet, ec2:CreateNetworkAcl, ec2:CreateNetworkAclEntry)
  • AWS Direct Connect or VPN for secure connectivity (directconnect:CreateConnection, ec2:CreateVpnConnection)
  • AWS WAF for layer 7 network security (waf:CreateWebACL, waf:CreateRule)
  • AWS Shield for DDoS protection (shield:CreateProtection)
  • Amazon GuardDuty for threat detection (guardduty:CreateDetector)

What are the alternatives?

Some alternatives or complementary approaches to IVS-03 include:

• Implementing zero trust network access (ZTNA) to enforce least privilege access
• Using software-defined networking (SDN) to centrally manage and control network configurations
• Deploying network intrusion detection and prevention systems (IDPS) to identify and block malicious traffic
• Implementing network segmentation and micro-segmentation to limit the blast radius of a breach

These approaches can be used in conjunction with IVS-03 to further enhance network security and reduce risk.

Explore further

• CIS Controls v8 - Control 12: Network Infrastructure Management
• NIST SP 800-53 Rev. 5 - SC-7: Boundary Protection
• AWS Documentation - Encryption in Transit: https://docs.aws.amazon.com/whitepapers/latest/aws-security-best-practices/encryption-in-transit.html
• AWS Documentation - Network Security: https://docs.aws.amazon.com/whitepapers/latest/aws-security-best-practices/network-security.html
• AWS Documentation - Container Security: https://docs.aws.amazon.com/whitepapers/latest/security-best-practices-for-manufacturing-ot/container-security.html

By implementing the IVS-03 Network Security control and following the guidelines provided, organizations can significantly enhance their network security posture, protect their assets from unauthorized access, and maintain compliance with industry standards and regulations. Regular monitoring, review, and updates are crucial to ensure the ongoing effectiveness of the control in an ever-evolving threat landscape.

‍