Network security
Introduction
Altus Group operates a Zero Trust Network Architecture that comprises of Altus Group networks and resources that are provisioned within data centers, third party cloud services and some on-premise office networks* collectively known as Altus Internal Resources.
Account network access
Network Access is based on the principles of least privilege and least functionality.
User network access is provisioned/deprovisioned as part of a Joiner Mover Leaver (JML) workflow.
Local System, Local Service and Network Service accounts are prohibited.
Network access security
Access to Altus Group environments is deployed on the principle of Zero Trust.
End User Devices have Zero Trust Network Broker installed to be able to connect to Altus Internal Resources.
Access logs are sent to the SIEM.
Network is reviewed for Shadow IT & Devices.
Administration of network access
A Privileged Identity Management tool is used for all privileged access.
Network access requests are not granted by Active Directory Global Administrator Account.
A dedicated Administrator Account is set up for managing user network access.
Network Access requests go through an approval process.
Protocols that do not support encryption are disabled.
User network access
All Accounts are granted network access based on least privilege and least functionality.
Only Altus Group devices are allowed network access to Altus Internal Resources.
User Network Access is recertified periodically.
Third-party network access
A formal risk assessment is performed for any Third-Party network access requests. Cloud Network Security Requirements
Security Groups are not broadly permissive.
Traffic from the internet is filtered on the basis of required ports.
Cloud Services do not directly connect to the internet.