Version: 3.0
Valid until: 2025-04-10
Classification: Low
3.0 | Edward Robinson | Additions/changes as part of the annual review. Added the use of Google Suite under 13.2.3. Updated broken links for customer, supplier and non-disclosure agreements under Administrations. |
In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.
The purpose of this document is to describe the communications security policy of anDREa and the associated controls, checks and administrations.
This document will be reviewed at least annually and when significant change happens.
The objectives of this control are:
To ensure the protection of information in networks and its supporting information processing facilities (A.13.1).
To maintain the security of information transferred within an organisation and with any external entity (A.13.2).
The scope of this document corresponds to Clause 4 Context of the organisation.
This document is:
required reading for:
all employees and contractors of anDREa.
available for all interested parties as appropriate.
The following measures have been taken to secure the (virtual) network of anDREa:
anDREa does not own a physical location with an internal company network.
anDREa has measures and rules described in A.6.2 Mobile devices and teleworking.
For all Microsoft Azure resources, anDREa uses Microsoft Defender for cloud. Microsoft Defender for Cloud however does not cover other assets (such as laptops, Google Drive) used by anDREa.
Chromebooks of anDREa employees are enrolled and managed by anDREa through the Google Workspace.
myDRE standard services:
anDREa has built myDRE on the Microsoft Azure cloud environment. Each myDRE Workspace is connected to one or more virtual networks where it is provided with a range of IP addresses that are allowed to interact. All services deployed in an Azure environment must use Azure Service Endpoints. This ensures isolation at the networking level when using Azure resources such as Virtual Machines (VMs), Web Applications and Storage services. Each of the myDRE Workspaces is associated with one Microsoft Azure subnet within the virtual network. Each subnet has an Azure resource called Network Security Group (NSG) to filter network traffic from and to Azure resources in an Azure virtual network. The code of anDREa automates the application of an NSG with a base list of network rules for each myDRE Workspace. Moreover, NSGs are also applied at the level of VMs.
Documentation about Workspace networking can be found here: Workspace networking (authorised personnel only).
VMs in Workspaces are governed by group policies and are only accessible within the anDREa virtual network.
By default, Windows VMs in myDRE Workspaces can be directly accessed through the Remote Desktop Protocol (RDP) over port 3389. Linux VMs can be accessed through a Windows VM as a stepping stone and not directly via SSH. If RDP is not allowed at a tenant or if the tenant does not wish to access Linux VMs via a stepping stone, the tenant can opt for the optional service Azure Bastion.
Each VM is equipped with Microsoft Azure endpoint protection agents such as Microsoft Defender for Cloud to protect against malware.
Standard services are covered by the Microsoft Security Center, which includes:
Threat detection for Azure services, networks, servers and VMs.
Adaptive and automated application controls.
Centralised security policy management to comply with internal and regulatory frameworks
Prioritisation of security recommendations and alerts to take immediate measures concerning the most critical vulnerabilities.
Continuous security assessment for VMs, networks, storage and data services as well as applications running across the organisations' environment.
myDRE optional services:
Some organisations block RDP over port 3389. To accommodate users, anDREa provides an optional feature Azure Bastion. Bastion provides RDP-over-html which does not need port 3389 to be opened. More information about Bastion architecture and myDRE can be found here: Bastion architecture.
By default, myDRE Workspaces do not have internet access. Next to the IP allowlisting, anDREa now also offers domain allowlisting through the use of a proxy.
The optional services are covered by the Microsoft Security Center.
Security mechanisms, service levels and management requirements of all network services are part of the customer organisation agreement. Moreover, users are informed of the standard services on myDRE, the optional services on myDRE and the service level agreement. All have been publicly published on the Knowledge Base. Moreover, anDREa provides tenants with a monthly CTO report which reports on the usage and on the service level agreement compliance.
Customer agreements (authorised personnel only).
Supplier agreements (authorised personnel only).
Non disclosure agreements (authorised personnel only).
Security policies within Microsoft Security Center.
CTO reports including reporting on the SLA.