Evaluate scope of: compliant financial infrastructure.

[abdullahgarcia]

Current state:

• We have been focusing on providing IaC that allows a user to stand up a cloud service which aims to be financially compliant.
• The cloud service provider allows its users to set specific parameters within the configuration of the service.

Problem:

• The set of specific parameters the cloud service provider allows its users to customise when standing up a service might not be enough to achieve financial compliance.
• For example, configuring an EKS cluster using the set of specific parameters a user can customise before creating a cluster will not pass all CIS benchmarks. The reason is because after creating a cluster, which would be the end line of the EKS service customisation, a user needs to configure several more things within the cluster to achieve such "financial compliance": e.g. RBAC roles, RBAC entitlements, pod security policies, image registries, etc. Strictly speaking, the latter goes beyond the scope and responsibility of the service as defined in the shared responsibility model. But, without getting that sorted, CIS benchmarks checks fail.
• Defining what's the extent of the actions required to achieve financial compliant infrastructure will be relevant in order to keep going forward.

[eddie-knight]

Concur that we need more input and perspectives from the community on this topic.

My opinion is that we should set a scope saying that a service approval accelerator should at minimum cover a baseline standard such as NIST, CIS, or PCI-DSS.

(Edited to include PCI-DSS in my examples.)

[AdrianHammond]

I would also add PCI-DSS to @eddie-knight comment.

[eddie-knight]

From the community call discussion today... the goal here is do define what a compliant state is across all accelerators. This has been handled on a case-by-case basis in the past, but we have determined that it is imperative to establish a project-wide definition.

[AdrianHammond]

This is an upstream compliance project that Red Hat and others contribute to, is this something you are aware of?

https://github.com/ComplianceAsCode/content

[jstclair2019]

Hi everyone, I had a question or two, and this looks like the right place to land. I led the audit team with the US GSA to audit GCP for federal IT compliance, as well as other audit work in Sarbanes Oxley, NIST/FISMA, and (what was ) SSAE 16 IT engagements. I'm reading into this discussion that you have a desire to a) come to agreement on appropriate regulatory controls for Internal Controls over Financial Reporting (ICFR) and b) inculcate those controls as IaC.
if I read that right, I'd be happy to discuss and assist if desired.

[eddie-knight]

Hey @jstclair2019, sorry for letting this conversation go stale on you! I've created an issue #263 to hopefully prevent issues like this again.

Would you be willing to join us on Slack, or in one of our community calls to discuss opportunities for collaboration?

https://github.com/finos/compliant-financial-infrastructure/blob/dev/docs/CONTRIBUTING.md#community-channels

[mcleo-d]

Hi @eddie-knight and @jstclair2019 - I have added @jstclair2019 to the Compliant Financial Infrastructure calendar invite for #265 and beyond. It would be great to talk more.

[eddie-knight]

This conversation can be closed out as it has been resolved by #250. If additional changes to documentation are needed for clarity, please provide suggestions on #250.