IBM Cloud Docs
SC-7 - Boundary Protection

SC-7 - Boundary Protection

Control requirements

The information system:

SC-7 (a)
Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
SC-7 (b)
Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
SC-7 (c)
Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

Additional IBM Cloud for Financial Services specifications

  • The organization "service delivery" and "corporate" environments must be maintained as separate environments. That is, clear physical and/or logical boundaries separating the two environments must exist.

Implementation guidance

See the resources that follow to learn more about how to implement this control.

IBM Cloud for Financial Services profile

The rules related to this control that follow are part of the IBM Cloud for Financial Services v1.2.0 profile in IBM Cloud® Security and Compliance Center.

Rules for SC-7 in IBM Cloud for Financial Services v1.2.0 profile
Requirement ID Rules
SC-7 (a)
  • Check whether Security Groups for VPC contains no outbound rules in security groups that specify source IP 8.8.8.8/32 to DNS port
  • Check whether Event Streams network access is restricted to a specific IP range
  • Check whether Virtual Servers for VPC instance doesn't have a floating IP
  • Check whether Application Load Balancer for VPC has public access disabled
  • Check whether Flow Logs for VPC are enabled
  • Check whether OpenShift clusters are accessible only by using private endpoints
  • Check whether authorized IP ranges are configured for the account
  • Check whether Virtual Private Cloud (VPC) security groups have inbound ports that are open only to permitted IP addresses
  • Check whether Hyper Protect DBaaS for MongoDB is accessible only using private endpoints
  • Check whether Event Streams is accessible only by using private endpoints
  • Check whether Hyper Protect DBaaS for PostgreSQL is accessible only using private endpoints
  • Check whether Virtual Private Cloud (VPC) has no public gateways attached
  • Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to any port
  • Check whether all virtual server instances have at least one Virtual Private Cloud (VPC) security group attached
  • Check whether Virtual Private Cloud (VPC) has no public gateways attached at the time of provisioning
  • Check whether App ID redirect URIs are not using wildcards (*)
  • Check whether Virtual Servers for VPC instance has all interfaces with IP-spoofing disabled
  • Check whether Cloud Object Storage network access is restricted to a specific IP range
  • Check whether account has at least one VPN or Direct Link configured
  • Check whether Virtual Private Cloud (VPC) classic access is disabled
  • Check whether Virtual Private Cloud (VPC) has no rules in the default security group
  • Check whether all network interfaces of a virtual server instance have at least one Virtual Private Cloud (VPC) security group attached
  • Check whether Container Registry image pushes and pulls take place only over private endpoints
  • Check whether Virtual Servers for VPC instance has the minimum # interfaces
  • Check whether Virtual Private Cloud (VPC) has no subnet with public gateway attached
  • Check whether Hyper Protect Crypto Services is accessible only through private endpoints
  • Check whether Virtual Private Cloud (VPC) security groups have outbound ports that are open only to permitted IP addresses
  • Check whether Virtual Private Cloud (VPC) is configured with public gateways that are provisionable only within permitted zones
  • Check whether Cloud Object Storage public access is disabled in IAM settings (not applicable to ACLs managed using S3 APIs)
  • Check whether a security group other than the default for Virtual Private Cloud is attached to all endpoints
  • Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to RDP port
  • Check whether App ID redirect URIs are not using localhost or 127.0.0.1
  • Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to SSH port
  • Check whether Virtual Private Cloud (VPC) network access control lists don't allow egress from 0.0.0.0/0 to any port
SC-7 (b)
  • Check whether Security Groups for VPC contains no outbound rules in security groups that specify source IP 8.8.8.8/32 to DNS port
  • Check whether Event Streams network access is restricted to a specific IP range
  • Check whether Virtual Servers for VPC instance doesn't have a floating IP
  • Check whether OpenShift clusters are accessible only by using private endpoints
  • Check whether Hyper Protect DBaaS for MongoDB is accessible only using private endpoints
  • Check whether Event Streams is accessible only by using private endpoints
  • Check whether Hyper Protect DBaaS for PostgreSQL is accessible only using private endpoints
  • Check whether Virtual Private Cloud (VPC) has no public gateways attached
  • Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to any port
  • Check whether all virtual server instances have at least one Virtual Private Cloud (VPC) security group attached
  • Check whether Virtual Private Cloud (VPC) has no public gateways attached at the time of provisioning
  • Check whether App ID redirect URIs are not using wildcards (*)
  • Check whether Virtual Servers for VPC instance has all interfaces with IP-spoofing disabled
  • Check whether Cloud Object Storage network access is restricted to a specific IP range
  • Check whether account has at least one VPN or Direct Link configured
  • Check whether Virtual Private Cloud (VPC) classic access is disabled
  • Check whether Virtual Private Cloud (VPC) has no rules in the default security group
  • Check whether all network interfaces of a virtual server instance have at least one Virtual Private Cloud (VPC) security group attached
  • Check whether Container Registry image pushes and pulls take place only over private endpoints
  • Check whether Virtual Servers for VPC instance has the minimum # interfaces
  • Check whether Hyper Protect Crypto Services is accessible only through private endpoints
  • Check whether Cloud Object Storage public access is disabled in IAM settings (not applicable to ACLs managed using S3 APIs)
  • Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to RDP port
  • Check whether App ID redirect URIs are not using localhost or 127.0.0.1
  • Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to SSH port
SC-7 (c)
  • Check whether Virtual Private Cloud (VPC) security groups have inbound ports that are open only to permitted IP addresses
  • Check whether Virtual Private Cloud (VPC) has no public gateways attached
  • Check whether all virtual server instances have at least one Virtual Private Cloud (VPC) security group attached
  • Check whether Virtual Private Cloud (VPC) has no public gateways attached at the time of provisioning
  • Check whether account has at least one VPN or Direct Link configured
  • Check whether Virtual Private Cloud (VPC) classic access is disabled
  • Check whether Virtual Private Cloud (VPC) has no rules in the default security group
  • Check whether all network interfaces of a virtual server instance have at least one Virtual Private Cloud (VPC) security group attached
  • Check whether Virtual Servers for VPC instance has the minimum # interfaces
  • Check whether Virtual Private Cloud (VPC) has no subnet with public gateway attached
  • Check whether Virtual Private Cloud (VPC) security groups have outbound ports that are open only to permitted IP addresses
  • Check whether Virtual Private Cloud (VPC) is configured with public gateways that are provisionable only within permitted zones
  • Check whether Virtual Private Cloud (VPC) network access control lists don't allow egress from 0.0.0.0/0 to any port

NIST supplemental guidance

Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions.