A.13 Communications security

A.13 Communications security

Version: 3.0

Valid until: 2025-04-10

Classification: Low

Version Management


Version

Author(s)

Change(s)

Date approved

1.0

Stefan van Aalst

Edward Robinson
Sarang Kulkarni

Initiation document

2022-07-07

1.1

Edward Robinson

Additions/changes as part of the periodic review and improvement.


Renamed to A.13 Communications security from B15 Network Management.

2022-12-02
2.0Edward RobinsonAdditions/changes as part of the annual review.

Small textual changes.
2023-05-19
3.0
Edward Robinson
Additions/changes as part of the annual review.

Added the use of Google Suite under 13.2.3.

Updated broken links for customer, supplier and non-disclosure agreements under Administrations.

Purpose & background


In the interest of all the stakeholders, the top management of anDREa B.V. (hereafter called anDREa) is actively committed to demonstrably maintain and continually improve an information management system in accordance with the requirements of the ISO 27001:2017.


The purpose of this document is to describe the communications security policy of anDREa and the associated controls, checks and administrations.


This document will be reviewed at least annually and when significant change happens.

Objectives


The objectives of this control are:


  • To ensure the protection of information in networks and its supporting information processing facilities (A.13.1).

  • To maintain the security of information transferred within an organisation and with any external entity (A.13.2).

Scope

The scope of this document corresponds to Clause 4 Context of the organisation.

Availability

This document is:


  • required reading for:

    • all employees and contractors of anDREa.

  • available for all interested parties as appropriate.

Norm elements

A.13.1 Network security management

A.13.1.1 Network controls


“Networks shall be managed and controlled to protect information in systems and applications.”


The myDRE high level architecture is described in the Knowledge Base article myDRE high level architecture

The following measures have been taken to secure the (virtual) network of anDREa:

  • anDREa does not own a physical location with an internal company network.

  • anDREa has measures and rules described in A.6.2 Mobile devices and teleworking.

  • For all Microsoft Azure resources, anDREa uses Microsoft Defender for cloud. Microsoft Defender for Cloud however does not cover other assets (such as laptops, Google Drive) used by anDREa.

    • Chromebooks of anDREa employees are enrolled and managed by anDREa through the Google Workspace.


myDRE standard services:


  • anDREa has built myDRE on the Microsoft Azure cloud environment. Each myDRE Workspace is connected to one or more virtual networks where it is provided with a range of IP addresses that are allowed to interact. All services deployed in an Azure environment must use Azure Service Endpoints. This ensures isolation at the networking level when using Azure resources such as Virtual Machines (VMs), Web Applications and Storage services. Each of the myDRE Workspaces is associated with one Microsoft Azure subnet within the virtual network. Each subnet has an Azure resource called Network Security Group (NSG) to filter network traffic from and to Azure resources in an Azure virtual network. The code of anDREa automates the application of an NSG with a base list of network rules for each myDRE Workspace. Moreover, NSGs are also applied at the level of VMs. 

    • Documentation about Workspace networking can be found here: Workspace networking (authorised personnel only).

  • VMs in Workspaces are governed by group policies and are only accessible within the anDREa virtual network.

  • By default, Windows VMs in myDRE Workspaces can be directly accessed through the Remote Desktop Protocol (RDP) over port 3389. Linux VMs can be accessed through a Windows VM as a stepping stone and not directly via SSH. If RDP is not allowed at a tenant or if the tenant does not wish to access Linux VMs via a stepping stone, the tenant can opt for the optional service Azure Bastion

  • Each VM is equipped with Microsoft Azure endpoint protection agents such as Microsoft Defender for Cloud to protect against malware.

  • Standard services are covered by the Microsoft Security Center, which includes:

    • Threat detection for Azure services, networks, servers and VMs.

    • Adaptive and automated application controls.

    • Centralised security policy management to comply with internal and regulatory frameworks

    • Prioritisation of security recommendations and alerts to take immediate measures concerning the most critical vulnerabilities.

    • Continuous security assessment for VMs, networks, storage and data services as well as applications running across the organisations' environment.


myDRE optional services:


  • Some organisations block RDP over port 3389. To accommodate users, anDREa provides an optional feature Azure Bastion. Bastion provides RDP-over-html which does not need port 3389 to be opened. More information about Bastion architecture and myDRE can be found here: Bastion architecture. 

  • By default, myDRE Workspaces do not have internet access. Next to the IP allowlisting, anDREa now also offers domain allowlisting through the use of a proxy. 

  • The optional services are covered by the Microsoft Security Center.


A.13.1.2 Security of networks


“Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced.”

Security mechanisms, service levels and management requirements of all network services are part of the customer organisation agreement. Moreover, users are informed of the standard services on myDRE, the optional services on myDRE and the service level agreement. All have been publicly published on the Knowledge Base. Moreover, anDREa provides tenants with a monthly CTO report which reports on the usage and on the service level agreement compliance.


A.13.1.3 Segregation in networks


“Groups of information services, users and information systems shall be segregated on networks.”


anDREa has segregated networks per tenant, per subscription, per Workspace as described in myDRE high level architecture.

A.13.2 Information transfer

A.13.2.1 Information transfer policies and procedures


“Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities.”


anDREa uses encryption as described in A.10 Cryptography to secure the transportation of data throughout the networks. Clients of anDREa are accountable for their transfer policies, procedures and controls. 

A.13.2.2 Agreements on information transfer


“Agreements shall address the secure transfer of business information between the organisation and external parties.”


The requirements for secure information transfer are part of the customer and/or supplier agreements.

A.13.2.3 Electronic messaging


“Information involved in electronic messaging shall be appropriately protected.”


anDREa has separated its business accounts (Google Suite) and platform accounts (Office 365). All available security measures that are offered by Google Suite are implemented for electronic messaging, including (but not limited to) SPF and DKIM. For Office 365, Microsoft security is implemented. Next to that, anDREa has a policy applied as stated in A.6.2 Mobile devices and teleworking.

A.13.2.4 Confidentiality or non-disclosure agreements


“Requirements for confidentiality or non-disclosure agreements reflecting the organisation’s needs for the protection of information shall be identified, regularly reviewed and documented.”


anDREa has engaged in data processing agreements with the customer organisations and other external parties. Confidentiality and non-disclosure agreements are part of the contracts. In addition, confidentiality and non-disclosure agreements are also part of the employee contracts.

Administrations


    • Related Articles

    • 20220607 Security Management Report

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001 please feel free to download and read the attached anDRE's 20220607 Security Management Report.
    • 20220714 Security Management Report Addendum

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001. This document is an addendum to the 20220607 Security Management Report and addresses the on 2022-07-14 reported findings of the ISO ...
    • 20220713 Report Azure White Box Security Audit

      Version: 2022-07-14 Introduction anDREa has a Pentest Program program as part of the commitment to protect the security of its business information. At least once a year we request an external party to do the pentest and a white box security audit. ...
    • 20210224 Pentest 2021-Q1 Report & 20210301 White Box Security Audit 2021-Q1 Report

      In accordance with our Pentest Program, anDREa engaged nSEC/Resilience for the anDREa White Box Security and the Pentesting 2021-Q1. The core questions being: Can non-authorized people or services access Workspaces or affect anDREa’s core services? ...
    • Identity Protection - Risky users

      anDREa monitors and evaluates for "Users at Risk" warnings. User at risk detected We detected a new user with at least high risk in your andreanl directory. This might be because we noticed suspicious account activity or we found their emails and ...