CSA CCM IVS-08
Network Architecture Documentation

In a relaxed tone, let's dive into the world of network architecture documentation. This control is all about identifying and documenting those high-risk environments that need a little extra TLC. Think of it like making a map of your network kingdom, so you know where the dragons are lurking!

Where did this come from?

CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can download the full matrix here to explore further. The AWS Well-Architected Framework documentation also has some great guidance on network architecture best practices.

Who should care?

  • Network architects with a need to document their realm
  • Security analysts with a desire to understand risk hot spots
  • Compliance officers with a requirement to demonstrate due diligence

What is the risk?

Poorly documented network architectures can lead to a host of horrors:

  • Misconfigured security controls leading to data breaches
  • Unidentified attack paths enabling lateral movement
  • Difficulty troubleshooting issues, prolonging outages Having a clear map of your high-risk environments helps tame these beasts.

What's the care factor?

On a scale of "meh" to "mega", this one rates a solid "moderately important". While it won't solve all your security woes, good documentation is foundational to managing risk. Spend the time upfront to get it right, and future you will thank past you.

When is it relevant?

Network documentation makes sense when:

  • You have a complex, multi-tiered architecture
  • You're dealing with sensitive data or regulated workloads
  • You have a large team that needs a shared understanding It's less crucial for simple, single server deployments or test environments.

What are the trade offs?

Creating and maintaining documentation takes time and effort. There's a risk it becomes neglected and out-of-date. Overly detailed docs can also become a security risk if they fall into the wrong hands. But skimping on documentation is a false economy. You'll burn way more hours down the track because of poor change management and incident response.

How to make it happen?

  1. Determine your documentation tooling (e.g. Visio, Lucidchart, a whiteboard and a phone camera)
  2. Define what detail needs capturing based on the implementation guidelines
  3. Gather asset inventory data to feed into your diagrams
  4. Create drafts of your diagrams and have them peer reviewed
  5. Publish the diagrams in a secure but accessible location
  6. Schedule regular reviews to keep them up-to-date, especially after major changes

What are some gotchas?

  • Ensure anyone with access to the diagrams has a legitimate need-to-know
  • In AWS, you'll need permissions to describe your EC2 instances, networking config, etc. Check out the ec2:DescribeInstances docs for details.
  • Don't forget version control on your diagrams to track changes over time

What are the alternatives?

You could use Infrastructure-as-Code tools like CloudFormation or Terraform to define your architecture. The code then becomes the documentation. However, these can be harder for non-technical folk to grok compared to a nice diagram.

Explore further

  • Check out CIS Control 1 on Inventory and Control of Enterprise Assets for asset management best practices
  • NIST SP 800-171 3.13.1 also has guidance on monitoring and control of communications at network boundaries

So there you have it. Network architecture documentation may not be the sexiest of topics, but it's a key plank in your security platform. Map out those high-risk environments and sleep a little sounder at night!

?

Blog

Learn cloud security with our research blog