Level 2


Description:

Routing remote access through managed access control points enhances explicit, organizational control over such connections, reducing the susceptibility to unauthorized access to organizational systems resulting in the unauthorized disclosure of CUI.  


Priority: High 


Domain: ACCESS CONTROL (AC) 


Services Associated with AWS: 

  • AWS Virtual Private Network (VPN), AWS Direct Connect, AWS Transit Gateway


Services Associated with Azure:

  • Azure Firewall
  • Azure Bastion
  • Azure Virtual Network (VNet)
  • Azure Private Link
  • Azure ExpressRoute


Objective Evidence: 

  • Administrative: documented policies, standards & procedures 
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations 
  • Technical: screen shot of firewall/VPN settings


Possible Technology Considerations:

  • VPN Concentrator Secure Baseline Configurations (SBC) 


What needs to be answered:

Is remote access only maintained by the IT department and routed through a limited number of managed access control points?  


Checks for AWS

  • Ensure Routing of Remote Access Via Managed Control Points
    Description: This check confirms that remote access is routed through managed access control points, enhancing organizational control over such connections and reducing the susceptibility to unauthorized access.


Checks for Azure

  • Ensure Cryptographic Protection of Remote Access Sessions in Azure Key Vault:
    Description: This check verifies that cryptographic mechanisms are used to maintain the confidentiality of remote access sessions in Azure Key Vault. Cryptographic standards should include FIPS-validated cryptography and NSA-approved cryptography.
  • Validate Cryptographic Protection for Remote Access Sessions in Azure Virtual Network (VNet):
    Description: This check confirms that cryptographic protection is implemented to maintain the confidentiality of remote access sessions in Azure Virtual Network (VNet). Cryptographic standards should adhere to FIPS-validated cryptography and NSA-approved cryptography.
  • Check Cryptographic Protection for Remote Access Sessions in Azure Disk Encryption:
    Description: This check ensures that cryptographic protection is applied to maintain the confidentiality of remote access sessions in Azure Disk Encryption. Cryptographic standards should meet the requirements of FIPS-validated cryptography and NSA-approved cryptography.
  • Verify Cryptographic Protection for Remote Access Sessions in Azure Storage Service Encryption:
    Description: This check verifies that cryptographic protection is in place to maintain the confidentiality of remote access sessions in Azure Storage Service Encryption. Cryptographic standards should align with FIPS-validated cryptography and NSA-approved cryptography.
  • Ensure Cryptographic Protection of Remote Access Sessions in Azure VPN Gateway:
    Description: This check ensures that cryptographic mechanisms are employed to maintain the confidentiality of remote access sessions in Azure VPN Gateway. Cryptographic standards should include FIPS-validated cryptography and NSA-approved cryptography.
  • Validate Cryptographic Protection for Remote Access Sessions in Azure Information Protection:
    Description: This check confirms that cryptographic protection is implemented to maintain the confidentiality of remote access sessions in Azure Information Protection. Cryptographic standards should adhere to FIPS-validated cryptography and NSA-approved cryptography.


More Details: Remote access is managed via a controlled access point.