Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updating testing requirements for VPC #523

Draft
wants to merge 12 commits into
base: main
Choose a base branch
from

Conversation

mlysaght2017
Copy link
Contributor

No description provided.

@mlysaght2017
Copy link
Contributor Author

@eddie-knight - adding in some new threats/controls for VPC - please check on testing requirements

Copy link
Contributor

@eddie-knight eddie-knight left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Didn't get through everything, but here are a few suggestions

services/networking/vpc/controls.yaml Outdated Show resolved Hide resolved
services/networking/vpc/controls.yaml Outdated Show resolved Hide resolved
services/networking/vpc/controls.yaml Outdated Show resolved Hide resolved
services/networking/vpc/controls.yaml Outdated Show resolved Hide resolved
mlysaght2017 and others added 4 commits November 12, 2024 11:12
Co-authored-by: Eddie Knight <knight@linux.com>
Co-authored-by: Eddie Knight <knight@linux.com>
Co-authored-by: Eddie Knight <knight@linux.com>
@mlysaght2017
Copy link
Contributor Author

@eddie-knight @sarahecraddock - I think we're nearly there- cleaned up VPC threats and controls - please review, particularly from testing requirements perspective.

@zeal-somani - there are a couple of threats that are missing VPC features to reference to, e.g. VPC Peering, Route Tables.

Copy link

@ianwalkersmithciticom ianwalkersmithciticom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a requirement to use MUST and MUST NOT in uppercase as part of this project, if so what is the rationale? Is it following a standard?

@eddie-knight
Copy link
Contributor

eddie-knight commented Nov 12, 2024

Hey @ianwalkersmithciticom — we're trying to hone in on an official style guide, and this is reflective of the latest discussion: When <activity>, <actor> MUST/NOT <action>.

Do you have any input to add?

- id: CCC.VPC.C01.TR02
text: |
Confirm that only custom networks with appropriate security controls are in place.
When a new project/account/subscription is created, then the project/account/subscription MUST NOT contain any default network resources.
Copy link

@ianwalkersmithciticom ianwalkersmithciticom Nov 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that project/account/subscription needs to be replaced with a non-CSP term. I'm unsure out of Azure/GCP/AWS what the terms are, but we could be extending this over time. The account is a trust-boundary - an isolation unit.

Here are a few generic terms you could consider for a trust boundary in CSPs:

  • Security Boundary -- kinda what it is
  • Isolation Unit
  • Resource Container
  • Security Domain
  • Trust Domain
  • Enclave
  • Tenant -- not bad
  • Workspace -- too close to Google workspace

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is good.

I was just looking at this also, ruled out most alternatives I came up with... best I could think of was "environment"

Copy link
Contributor Author

@mlysaght2017 mlysaght2017 Nov 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd favour tenant or tenancy as I think this is used out there already to cover all three. Could be a bit confusing wrt to how Azure uses tenant for an Azure AD instance, but otherwise ok...

Please vote:

  • Tenant
  • Tenancy
  • Cloud Tenancy

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd prefer this option:

"CSP organization" --> "CSP organization OU" --> CSP resource container --> resource(s)

Why?
The above I think covers nearly all clouds and is generic enough to now say project, account, subscription.
Tenant to me is usually a 'user' construct of an AWS Account or GCP project.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resource container makes logical sense for sure - I'm just worried that it's not a recognized term and sounds a bit awkward:

When a resource container is created, it must not contain any default network resources

@eddie-knight @damienjburks - what do you reckon? If it sounds ok, then we can create an issue to create a glossary of terms - may well need that anyway

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think "subscription" make more sense to me.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Spoke with @zeal-somani and we think subscription would work best

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mlysaght2017 — Does Resource Group work here instead? It seems like a generic enough term that there wouldn't be potential for confusion with other things like containers and pub/sub subscriptions.

image
ref

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants