-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updating testing requirements for VPC #523
base: main
Are you sure you want to change the base?
Conversation
@eddie-knight - adding in some new threats/controls for VPC - please check on testing requirements |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Didn't get through everything, but here are a few suggestions
Co-authored-by: Eddie Knight <knight@linux.com>
Co-authored-by: Eddie Knight <knight@linux.com>
Co-authored-by: Eddie Knight <knight@linux.com>
@eddie-knight @sarahecraddock - I think we're nearly there- cleaned up VPC threats and controls - please review, particularly from testing requirements perspective. @zeal-somani - there are a couple of threats that are missing VPC features to reference to, e.g. VPC Peering, Route Tables. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a requirement to use MUST and MUST NOT in uppercase as part of this project, if so what is the rationale? Is it following a standard?
Hey @ianwalkersmithciticom — we're trying to hone in on an official style guide, and this is reflective of the latest discussion: Do you have any input to add? |
- id: CCC.VPC.C01.TR02 | ||
text: | | ||
Confirm that only custom networks with appropriate security controls are in place. | ||
When a new project/account/subscription is created, then the project/account/subscription MUST NOT contain any default network resources. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that project/account/subscription needs to be replaced with a non-CSP term. I'm unsure out of Azure/GCP/AWS what the terms are, but we could be extending this over time. The account is a trust-boundary - an isolation unit.
Here are a few generic terms you could consider for a trust boundary in CSPs:
- Security Boundary -- kinda what it is
- Isolation Unit
- Resource Container
- Security Domain
- Trust Domain
- Enclave
- Tenant -- not bad
- Workspace -- too close to Google workspace
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is good.
I was just looking at this also, ruled out most alternatives I came up with... best I could think of was "environment"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd favour tenant or tenancy as I think this is used out there already to cover all three. Could be a bit confusing wrt to how Azure uses tenant for an Azure AD instance, but otherwise ok...
Please vote:
- Tenant
- Tenancy
- Cloud Tenancy
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd prefer this option:
"CSP organization" --> "CSP organization OU" --> CSP resource container --> resource(s)
Why?
The above I think covers nearly all clouds and is generic enough to now say project, account, subscription.
Tenant to me is usually a 'user' construct of an AWS Account or GCP project.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resource container makes logical sense for sure - I'm just worried that it's not a recognized term and sounds a bit awkward:
When a resource container is created, it must not contain any default network resources
@eddie-knight @damienjburks - what do you reckon? If it sounds ok, then we can create an issue to create a glossary of terms - may well need that anyway
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think "subscription" make more sense to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Spoke with @zeal-somani and we think subscription would work best
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mlysaght2017 — Does Resource Group work here instead? It seems like a generic enough term that there wouldn't be potential for confusion with other things like containers and pub/sub subscriptions.
No description provided.