Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updating testing requirements for VPC #523

Draft
wants to merge 11 commits into
base: main
Choose a base branch
from
Draft

Updating testing requirements for VPC #523

wants to merge 11 commits into from

Conversation

mlysaght2017
Copy link
Contributor

No description provided.

@mlysaght2017
Copy link
Contributor Author

@eddie-knight - adding in some new threats/controls for VPC - please check on testing requirements

eddie-knight
eddie-knight reviewed Nov 11, 2024
View reviewed changes
Copy link
Contributor

@eddie-knight eddie-knight left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Didn't get through everything, but here are a few suggestions

services/networking/vpc/controls.yaml Outdated Show resolved Hide resolved
services/networking/vpc/controls.yaml Outdated Show resolved Hide resolved
services/networking/vpc/controls.yaml Outdated Show resolved Hide resolved
services/networking/vpc/controls.yaml Outdated Show resolved Hide resolved
@mlysaght2017
Copy link
Contributor Author

@eddie-knight @sarahecraddock - I think we're nearly there- cleaned up VPC threats and controls - please review, particularly from testing requirements perspective.

@zeal-somani - there are a couple of threats that are missing VPC features to reference to, e.g. VPC Peering, Route Tables.

ianwalkersmithciticom
ianwalkersmithciticom reviewed Nov 12, 2024
View reviewed changes
Copy link

@ianwalkersmithciticom ianwalkersmithciticom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a requirement to use MUST and MUST NOT in uppercase as part of this project, if so what is the rationale? Is it following a standard?

@eddie-knight
Copy link
Contributor

eddie-knight commented Nov 12, 2024
edited
Loading

Hey @ianwalkersmithciticom — we're trying to hone in on an official style guide, and this is reflective of the latest discussion: When <activity>, <actor> MUST/NOT <action>.

Do you have any input to add?

ianwalkersmithciticom
ianwalkersmithciticom reviewed Nov 12, 2024
View reviewed changes
services/networking/vpc/controls.yaml Outdated
- id: CCC.VPC.C01.TR02
text: |
Confirm that only custom networks with appropriate security controls are in place.
When a new project/account/subscription is created, then the project/account/subscription MUST NOT contain any default network resources.
Copy link

@ianwalkersmithciticom ianwalkersmithciticom Nov 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that project/account/subscription needs to be replaced with a non-CSP term. I'm unsure out of Azure/GCP/AWS what the terms are, but we could be extending this over time. The account is a trust-boundary - an isolation unit.

Here are a few generic terms you could consider for a trust boundary in CSPs:

  • Security Boundary -- kinda what it is
  • Isolation Unit
  • Resource Container
  • Security Domain
  • Trust Domain
  • Enclave
  • Tenant -- not bad
  • Workspace -- too close to Google workspace

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is good.

I was just looking at this also, ruled out most alternatives I came up with... best I could think of was "environment"

Copy link
Contributor Author

@mlysaght2017 mlysaght2017 Nov 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd favour tenant or tenancy as I think this is used out there already to cover all three. Could be a bit confusing wrt to how Azure uses tenant for an Azure AD instance, but otherwise ok...

Please vote:

  • Tenant
  • Tenancy
  • Cloud Tenancy

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd prefer this option:

"CSP organization" --> "CSP organization OU" --> CSP resource container --> resource(s)

Why?
The above I think covers nearly all clouds and is generic enough to now say project, account, subscription.
Tenant to me is usually a 'user' construct of an AWS Account or GCP project.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resource container makes logical sense for sure - I'm just worried that it's not a recognized term and sounds a bit awkward:

When a resource container is created, it must not contain any default network resources

@eddie-knight @damienjburks - what do you reckon? If it sounds ok, then we can create an issue to create a glossary of terms - may well need that anyway

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ianwalkersmithciticom ianwalkersmithciticom ianwalkersmithciticom left review comments

@eddie-knight eddie-knight eddie-knight left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mlysaght2017 @eddie-knight @ianwalkersmithciticom