You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Related to providing for an extendable schema for unique use cases - #670
OSCAL & Open Service Broker API
The following note is raw research done around the idea of integrating (or extending) the OpenServiceBroker schema with OSCAL to better manage security control implementation and inheritance.
Pre-req context
What's OpenServiceBroker The OpenServiceBroker API is a standard for "binding" frontend applications to backend services within a Platform-as-a-Service. The model has been extended to include many IaaS providers using it to make their shared service offering available directly in/as a marketplace. The concept/standard evolved from cloud foundary ecosystem, as has been adopted by many large IaaS/PaaS providers.
What's OSCAL OSCAL is a NIST standard aiming to create a machine readable schema/standard for security compliance framework implementation (e.g. NIST 800-53, SOC2, ISO-20017, CIS, etc, etc).
The goal of it is to provide the exchange format for vendor interoperability for security compliance accreditation and ongoing authorizations.
What's OpenServiceBroker & OSCAL together
The idea behind this research is to assess the feasibility and value/potential of coordinating an intergration of these standards.
User Story
As an application developer I want to deploy applications and manage/develop them for users needs. Security compliance is added work and often is not directly related to the system's actual security. Using a PaaS like Cloud.gov I want to inherit it's security controls, declare my response to their customer responsibilities in code deployable along side my application, and additionally address the custom/additional security controls of using a custom/3rd party backend service that I broker to. This custom backend therefore would need to declare its specific customer responsibilities for configuration and approved use (e.g. FTP-like storage, Database-as-a-service, Search-index-as-a-service IaaS service offering's specific tailoring/hardening).
Each of the examples below is one of either:
Application (that relies on/inherits from a PaaS's security controls)
Platform (that relies on/inherits from an IaaS's security controls)
Infrastructure (that relies on/inherits from itself)
This standard is THE standard federal security model for a new application SaaS <- PaaS + Agency Procedures <- IaaS = ATO
Is important because they inherit each other's security model from the ground up. This inheritance is reflected in a concept commonly called a "Customer Responsibility Matrix (CRM)".
CRM is a term or art that has evolved out of the NIST 800-53/RMF framework. At its core is the idea that; I (provider) am telling you (customer) that I have implemented all these things for you to the degree I could/can - to the degree/extent I'm able to:
FULLY - Everything is fully implemented for you - you don't have to do anything more to implement this control besides using my standardizzed service (fully inherited).
PARTIALLY - We've done all-we-can to fully implement this protection - but you still need to take some action (e.g. enable a non-default setting or configure your service to not do this the wrong way). But here is what's left for you to ensure/do to fully implement.
NONE - Sorry we can't contribute to this or do anything for you here. You are on your own and/or this is an organizational control that you might inherit directly from compliance with your agencies policies and procedures?
The text was updated successfully, but these errors were encountered:
Related to providing for an extendable schema for unique use cases - #670
OSCAL & Open Service Broker API
Pre-req context
What's
OpenServiceBroker
The OpenServiceBroker API is a standard for "binding" frontend applications to backend services within a Platform-as-a-Service. The model has been extended to include many IaaS providers using it to make their shared service offering available directly in/as a marketplace. The concept/standard evolved from cloud foundary ecosystem, as has been adopted by many large IaaS/PaaS providers.
What's
OSCAL
OSCAL is a NIST standard aiming to create a machine readable schema/standard for security compliance framework implementation (e.g. NIST 800-53, SOC2, ISO-20017, CIS, etc, etc).
The goal of it is to provide the exchange format for vendor interoperability for security compliance accreditation and ongoing authorizations.
What's
OpenServiceBroker & OSCAL together
The idea behind this research is to assess the feasibility and value/potential of coordinating an intergration of these standards.
User Story
As an application developer I want to deploy applications and manage/develop them for users needs. Security compliance is added work and often is not directly related to the system's actual security. Using a PaaS like Cloud.gov I want to inherit it's security controls, declare my response to their customer responsibilities in code deployable along side my application, and additionally address the custom/additional security controls of using a custom/3rd party backend service that I broker to. This custom backend therefore would need to declare its specific customer responsibilities for configuration and approved use (e.g. FTP-like storage, Database-as-a-service, Search-index-as-a-service IaaS service offering's specific tailoring/hardening).
Each of the examples below is one of either:
Is important because they inherit each other's security model from the ground up. This inheritance is reflected in a concept commonly called a "Customer Responsibility Matrix (CRM)".
CRM is a term or art that has evolved out of the NIST 800-53/RMF framework. At its core is the idea that; I (provider) am telling you (customer) that I have
implemented
all these things for you to the degree I could/can - to the degree/extent I'm able to:fully inherited
).The text was updated successfully, but these errors were encountered: