Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cloud Guardrail for Sandbox environment not clear #96

Open
PatrickMessierGoC opened this issue Nov 4, 2022 · 2 comments
Open

Cloud Guardrail for Sandbox environment not clear #96

PatrickMessierGoC opened this issue Nov 4, 2022 · 2 comments
Labels
enhancement New feature or request

Comments

@PatrickMessierGoC
Copy link

Problem to solve

We are trying to understand the "segment & separate" requirement for "Experimentation/Sandbox" (profile 1) environment. We find the statement "Required (network filtering at a minimum)" is vague and open to interpretation.

Intended users

Departmental teams mendated to implement Cloud Guardrails.

Further details

Development teams request public cloud environment to implement DevOps workflows whereas IT Security teams often claim that, based on the "segment & separate" requirement, development environments must be behind firewall, thus be somewhat private, even if "Experimentation/Sandbox" environments is used.

Proposal

Can you please elaborate on what is truly expected from this expression and add those clarification to the table here. For example, would IP filtering on resources be enough for trully development enviroment?

Permissions and Security

N/A

What does success look like, and how can we measure that?

  • Documentation is updated with more details and concrete examples of what is acceptable for the "Segment and separate" guardrail for "Experimentation/Sandbox" environment.
  • Clarifications is added on which environment/profile is suitable for DevOps workflows.

Links / references

N/A

@PatrickMessierGoC PatrickMessierGoC added the enhancement New feature or request label Nov 4, 2022
@fmichaelobrien
Copy link
Contributor

Patrick, Thanks for the question - very good point - I have run into this myself gathering compliance evidence - yes GR 8 at the profile 1 level https://github.com/canada-ca/cloud-guardrails/blob/master/EN/00_Applicable-Scope.md usually involves the default VPC (non-shared at this point) with default ingress/egress FW rules, no policies, no org policies on public IP restriction.
However it is recommended to have GR 5 - regional restriction to the 2 regions in Canada - this will force VPC creation to limit to these 2 regions and provide for minimal segmentation.

Ideally a network diagram like the following would help but not required.

As a work item over the next couple days I will add a PR to adjust the scope of the GR8 ask in terms of detailing "Network Filtering" - which implies either a cloud native DDoS, Firewall, AV, WAF, IPS/IDS packet inspection set of services or NGFW appliance like Fortigate - or VPC network separation - which is - I think the intention of "Network filtering". In this case VPC separation via routes, FW rules at the VPC or tag level for IaaS VMs in the VPC) - all of which in the case of most CSPs including GCP are part of a default VPC (as long as regional restriction policy is in place)

Security Control
https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-security-controls.md#iam---organization-policies---resource-location-restriction

Code:

Guardrails

Kubernetes Config Controller Landing Zone

@PatrickMessierGoC
Copy link
Author

@fmichaelobrien Thanks for your quick reply. Any ETA for the documentation updates?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants