Naver Cloud
Naver Cloud Diagnosis Items
| Category | Resource | Option | Item | Description | Risk Level | ISO27001 | CSAP | ISMS-P | Stability Assessment |
|---|---|---|---|---|---|---|---|---|---|
| Compute | Launch Configuration | Is Encrypted Volume | Encryption | Disable block storage encryption | HIGH | 8.1 Operational planning and control | 12.3.1. Encryption Policy Establishment | 2.7 Cryptography Application | 10.2.1 Encryption |
| Compute | Server | Is Encrypted Base Block Storage Volume | Encryption | Disable block storage encryption | HIGH | 8.1 Operational planning and control | 12.3.1. Encryption Policy Establishment | 2.7 Cryptography Application | 10.2.1 Encryption |
| Container | Kubernetes Cluster | Enable Audit Log | Logging Monitoring | Disable audit logging | MEDIUM | 9.1 Monitoring, measurement, analysis and evaluation | 7.2.2 Audit Records and Monitoring | 2.11 Incident Prevention and Response | 1.4.1 Security Audit |
| Container | Kubernetes Cluster | Enable Public Subnet Network | Access Control | Allow public network access | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Database | Mongodb | Backup File Retention Period | Data Protection | Short log retention period | MEDIUM | 8.1 Operational planning and control | 6.2.2. Redundancy and Backup | 2.9 System and Service Operation Management | 5.2.1 Service Availability |
| Database | Mssql | Backup File Retention Period | Data Protection | Short log retention period | MEDIUM | 8.1 Operational planning and control | 6.2.2. Redundancy and Backup | 2.9 System and Service Operation Management | 5.2.1 Service Availability |
| Database | Mysql | Enable Backup | Data Protection | Disable backup | MEDIUM | 8.1 Operational planning and control | 6.2.2. Redundancy and Backup | 2.9 System and Service Operation Management | 5.2.1 Service Availability |
| Database | Mysql | Backup File Retention Period | Data Protection | Short log retention period | MEDIUM | 8.1 Operational planning and control | 6.2.2. Redundancy and Backup | 2.9 System and Service Operation Management | 5.2.1 Service Availability |
| Database | Mysql | Enable High Availability, Is Storage Encryption | Encryption | Disable storage encryption | HIGH | 8.1 Operational planning and control | 12.3.1. Encryption Policy Establishment | 2.7 Cryptography Application | 10.2.1 Encryption |
| Database | Redis | Enable Backup | Data Protection | Disable backup | MEDIUM | 8.1 Operational planning and control | 6.2.2. Redundancy and Backup | 2.9 System and Service Operation Management | 5.2.1 Service Availability |
| Database | Redis | Backup File Retention Period | Data Protection | Short log retention period | MEDIUM | 8.1 Operational planning and control | 6.2.2. Redundancy and Backup | 2.9 System and Service Operation Management | 5.2.1 Service Availability |
| Networking | Access Control Group | Acg Description | Logging Monitoring | Absence of description | LOW | 9.1 Monitoring, measurement, analysis and evaluation | 7.2.2 Audit Records and Monitoring | 2.11 Incident Prevention and Response | 1.4.1 Security Audit |
| Networking | Access Control Group | Inbound Rule > Description | Logging Monitoring | Absence of description | LOW | 9.1 Monitoring, measurement, analysis and evaluation | 7.2.2 Audit Records and Monitoring | 2.11 Incident Prevention and Response | 1.4.1 Security Audit |
| Networking | Access Control Group | Outbound Rule > Description | Logging Monitoring | Absence of description | CRITICAL | 9.1 Monitoring, measurement, analysis and evaluation | 7.2.2 Audit Records and Monitoring | 2.11 Incident Prevention and Response | 1.4.1 Security Audit |
| Networking | Access Control Group | Inbound Rule > Ip Block | Access Control | Set CIDR full range | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Networking | Access Control Group | Inbound Rule > Ip Block, Inbound Rule > Port Range | Access Control | FTP Access Allowed from the Internet | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Networking | Access Control Group | Inbound Rule > Ip Block, Inbound Rule > Port Range | Access Control | SSH Access Allowed from the Internet | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Networking | Access Control Group | Inbound Rule > Ip Block, Inbound Rule > Port Range | Access Control | HTTP Access Allowed from the Internet | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Networking | Access Control Group | Inbound Rule > Ip Block, Inbound Rule > Port Range | Access Control | RDP Access Allowed from the Internet | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Networking | Access Control Group | Outbound Rule > Ip Block | Access Control | Set CIDR full range | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Networking | Load Balancer | Network Type | Access Control | Use public network | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Networking | Load Balancer | Listener > Tls Min Version Type | Encryption | Use of Weak TLS Versions | HIGH | 8.1 Operational planning and control | 12.3.1. Encryption Policy Establishment | 2.7 Cryptography Application | 10.2.1 Encryption |
| Networking | Load Balancer | Listener > Protocol | Access Control | Using Unencrypted HTTP Protocol | CRITICAL | 8.1 Operational planning and control | 12.3.1. Encryption Policy Establishment | 2.7 Cryptography Application | 10.2.1 Encryption |
| Networking | Network Acl | Nacl Description | Logging Monitoring | Absence of description | LOW | 9.1 Monitoring, measurement, analysis and evaluation | 7.2.2 Audit Records and Monitoring | 2.11 Incident Prevention and Response | 1.4.1 Security Audit |
| Networking | Network Acl | Inbound Rule > Ip Block | Access Control | Set CIDR full range | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Networking | Network Acl | Inbound Rule > Port Range | Access Control | Set port full range | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Networking | Network Acl | Inbound Rule > Ip Block, Inbound Rule > Action, Inbound Rule > Port Range | Access Control | FTP Access Allowed from the Internet | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Networking | Network Acl | Inbound Rule > Ip Block, Inbound Rule > Action, Inbound Rule > Port Range | Access Control | SSH Access Allowed from the Internet | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Networking | Network Acl | Inbound Rule > Ip Block, Inbound Rule > Action, Inbound Rule > Port Range | Access Control | HTTP Access Allowed from the Internet | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Networking | Network Acl | Inbound Rule > Ip Block, Inbound Rule > Action, Inbound Rule > Port Range | Access Control | RDP Access Allowed from the Internet | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Networking | Network Acl | Outbound Rule > Ip Block | Access Control | Set CIDR full range | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Networking | Public Ip | Target Server Name | Access Control | Public IP exists | CRITICAL | 8.1 Operational planning and control | 10.1.1. Access Control Policy Establishment | 2.6 Access Control | 7.1.1 Access Control Policy |
| Networking | Target Group | Protocol | Access Control | Use unencrypted HTTP protocol | CRITICAL | 8.1 Operational planning and control | 12.3.1. Encryption Policy Establishment | 2.7 Cryptography Application | 10.2.1 Encryption |
| Storage | Nas Volume | Is Encrypted | Encryption | Disable encryption | HIGH | 8.1 Operational planning and control | 12.3.1. Encryption Policy Establishment | 2.7 Cryptography Application | 10.2.1 Encryption |