Level 2
Description:
The control of information in shared system resources (e.g., registers, cache memory, main memory, hard disks) is also commonly referred to as object reuse and residual information protection. This requirement prevents information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to any current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system. This requirement also applies to encrypted representations of information. This requirement does not address information remanence, which refers to residual representation of data that has been nominally deleted; covert channels (including storage or timing channels) where shared resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles.
Priority: High
Domain: SYSTEM AND COMMUNICATIONS PROTECTION (SC)
Category: Baseline Security Configurations
Services Associated with AWS:
- AWS Identity and Access Management (IAM), Amazon EC, AWS Lambda, Amazon RDS
- Amazon EC, Amazon S, AWS Key Management Service (KMS), Amazon Macie
- Amazon Inspector, AWS Shield, AWS WAF, AWS CloudTrail
Services Associated with Azure:
- Azure Security Center
- Azure Key Vault
- Azure Active Directory
- Azure Storage
- Azure Disk Encryption.
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Administrative: supporting documentation of role-based security training being performed
- Administrative: supporting documentation to demonstrate how Data Loss Prevention (DLP) is implemented, if applicable
- Technical: screenshot of DLP technology, if applicable
- Technical: screenshot of configuration settings, if applicable
Possible Technology Considerations :
- Secure Baseline Configurations (SBC)
What needs to be answered :
Are requirements implemented to prevent object reuse and to protect residual information? Does the system prevent unauthorized or unintended information transfer via shared system resources (e.g., register, main memory, secondary storage)?
Checks for AWS
- Control Over Shared System Resources
Description: This check ensures that information contained in shared system resources is controlled to prevent unauthorized and unintended information transfer. This includes clearing or sanitizing shared resources after they are released back to the system. - Protection of Residual Information
Description: This check verifies that steps are taken to protect residual information in system resources. This includes ensuring that information produced by the actions of prior users or roles is not available to any current users or roles - Prevention of Covert Channels
Description: This check confirms that measures are in place to prevent the use of covert channels, such as storage or timing channels, where shared resources are manipulated to violate information flow restrictions.
Checks for Azure
- Control Over Shared System Resources:
Description: This policy ensures that information contained in shared system resources is controlled to prevent unauthorized and unintended information transfer. It includes measures to clear or sanitize shared resources after they have been released back to the system, preventing any residual information from being accessible to unauthorized users or processes. - Protection of Residual Information:
Description: This policy verifies that steps are taken to protect residual information in system resources. It ensures that information produced by the actions of prior users or roles is not available to any current users or roles who obtain access to shared system resources after those resources have been released back to the system. This policy may also apply to encrypted representations of information, ensuring they are not inadvertently accessed by unauthorized entities. - Prevention of Covert Channels:
Description: This policy confirms that measures are in place to prevent the use of covert channels, such as storage or timing channels, where shared resources are manipulated to violate information flow restrictions. Covert channels could potentially be exploited to bypass security controls and transfer information between different roles or users without proper authorization.
More Details: Unintended system resource transfer not possible with cloud based remote access system.