generated from finos/standards-project-blueprint
-
Notifications
You must be signed in to change notification settings - Fork 42
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Extend Object Storage Controls (#263)
Co-authored-by: Eddie Knight <[email protected]> Co-authored-by: Damien Burks <[email protected]>
- Loading branch information
3 people
authored
Aug 2, 2024
1 parent
f0d06e4
commit 82691d0
Showing
3 changed files
with
244 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,11 +1,139 @@ | ||
| # Object Storage Controls | ||
| # CCC.OS: Object Storage | ||
|
|
||
| This document contains an abstracted list of controls based on the Threats for Object Storage. The scope of these controls expand across various cloud service providers. | ||
| | Control Id | Service Taxonomy Id | Control | | ||
| | ---------- | ------------------- | ------------------------------------------------------ | | ||
| | CCC.OS.C1 | CCC-020115 | Prevent unencrypted requests to object storage bucket | | ||
| | CCC.OS.C2 | CCC-020114 | Ensure data encryption at rest | | ||
| | CCC.OS.C3 | CCC-020116 | Implement multi-factor authentication (MFA) for access | | ||
| | CCC.OS.C4 | CCC-020112 | Maintain immutable backups of data | | ||
| | CCC.OS.C5 | CCC-020118 | Log all access and changes to object storage bucket | | ||
|
|
||
| ## Controls | ||
| --- | ||
|
|
||
| | Control Id | Objective | Description | Test | Service Taxonomy Id | NIST CSF | MITRE ATT&CK Mitigations | Threats | | ||
| | ---------- | --------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | -------- | ---------------------------------------------------- | --------- | | ||
| | CCC.OS.C1 | Prevent unencrypted requests to object storage bucket | Block all unencrypted requests to the object storage bucket you own | GIVEN you own the object storage bucket; WHEN an unencrypted HTTP request is made to the bucket; THEN the request should be denied | CCC-020115 | Protect | [M1041](https://attack.mitre.org/mitigations/M1041) | CCC.OS.T1 | | ||
| | CCC.OS.C2 | Prevent object storage data encrypted for impact | Block data plane requests with untrusted KMS keys to the object storage bucket you own | GIVEN you own the object storage bucket; WHEN a data plane request with an untrusted KMS key is made to the object storage bucket; THEN the request should be denied | CCC-020114 | Protect | None | CCC.OS.T2 | | ||
| | CCC.OS.C3 | Prevent the granting of direct public access to the object storage bucket you own | Block the creation or update of buckets with public access | GIVEN you own the object storage bucket; WHEN the access controls on the bucket are updated to grant public access to the bucket; THEN the request should be denied | CCC-020116 | Protect | [M1022](https://attack.mitre.org/mitigations/M1022/) | CCC.OS.T3 | | ||
| ## CCC.OS.C1: Prevent unencrypted requests to object storage bucket | ||
|
|
||
| - Corresponding Feature: CCC-020115 (Encryption in Transit) | ||
| - NIST CSF: Protect (PR.DS-2) | ||
| - MITRE ATT&CK TTP: T1573 - Encrypted Channels | ||
|
|
||
| ### Objective | ||
|
|
||
| Prevent any unencrypted requests to the object storage bucket, ensuring that all communications are encrypted in transit to protect data integrity and confidentiality. | ||
|
|
||
| ### Control Mappings | ||
|
|
||
| - CCM: IVS-09, DSI-03 | ||
| - ISO/IEC 27001:2013 A.13.1.1 | ||
| - NIST SP 800-53: SC-8, SC-13 | ||
|
|
||
| ### Testing Requirements | ||
|
|
||
| The following validations must be performed against corresponding Control Implementation capabilities to ensure the Control Objective is thoroughly assessed: | ||
|
|
||
| 1. [**CCC.OS.C1.TR01**](./tests/ccc-os-c1.feature#CCC.OS.C1.TR01): All supported network data protocols must be running on secure channels. | ||
| 2. [**CCC.OS.C1.TR02**](./tests/ccc-os-c1.feature#CCC.OS.C1.TR02): All clear text channels should be disabled. | ||
| 3. [**CCC.OS.C1.TR03**](./tests/ccc-os-c1.feature#CCC.OS.C1.TR03): The cipher suite implemented for ensuring the integrity and confidentiality of data should conform with the latest suggested cipher suites. [NIST proposed latest standard cipher suites](<[#](https://csrc.nist.gov/pubs/sp/800/52/r2/final)>). | ||
|
|
||
| --- | ||
|
|
||
| ## CCC.OS.C2: Ensure data encryption at rest | ||
|
|
||
| - Corresponding Feature: CCC-020114 (Encryption at Rest) | ||
| - NIST CSF: Protect (PR.DS-1) | ||
| - MITRE ATT&CK TTP: [T1486 - Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486/) | ||
|
|
||
| ### Objective | ||
|
|
||
| Ensure that all data stored within the object storage service is encrypted at rest to maintain confidentiality and integrity. | ||
|
|
||
| ### Control Mappings | ||
|
|
||
| - CCM: DSI-01, DSI-02 | ||
| - ISO/IEC 27001:2013 A.10.1.1 | ||
| - NIST SP 800-53: SC-28 | ||
|
|
||
| ### Testing Requirements | ||
|
|
||
| The following validations must be performed against corresponding Control Implementation capabilities to ensure the Control Objective is thoroughly assessed: | ||
|
|
||
| 1. **CCC.OS.C2.TR.01** {#CCC.OS.C2.TR.01}: Verify that data stored in the object storage bucket is encrypted using industry-standard algorithms. | ||
| 2. **CCC.OS.C2.TR.02** {#CCC.OS.C2.TR.02}: Ensure that encryption keys are managed securely and rotated periodically. | ||
| 3. **CCC.OS.C2.TR.03** {#CCC.OS.C2.TR.03}: Confirm that decryption is only possible through authorized access mechanisms. | ||
|
|
||
| --- | ||
|
|
||
| ## CCC.OS.C3: Implement multi-factor authentication (MFA) for access | ||
|
|
||
| - Corresponding Feature: CCC-020116 (Identity Based Access Control) | ||
| - NIST CSF: Protect (PR.AC-7) | ||
| - MITRE ATT&CK TTP: [T1078 - Valid Accounts](https://attack.mitre.org/techniques/T1078/) | ||
|
|
||
| ### Objective | ||
|
|
||
| Ensure that all human user access to object storage buckets requires multi-factor authentication (MFA), minimizing the risk of unauthorized access by enforcing strong authentication mechanisms. | ||
|
|
||
| ### Control Mappings | ||
|
|
||
| - CCM: IAM-03, IAM-08 | ||
| - ISO/IEC 27001:2013 A.9.4.2 | ||
| - NIST SP 800-53: IA-2 | ||
|
|
||
| ### Testing Requirements | ||
|
|
||
| The following validations must be performed against corresponding Control Implementation capabilities to ensure the Control Objective is thoroughly assessed: | ||
|
|
||
| 1. [**CCC.OS.C3.TR01**](./tests/ccc-os-c3.feature#CCC.OS.C3.TR01): Verify that MFA is enforced for all access attempts to the object storage bucket. | ||
| 2. [**CCC.OS.C3.TR02**](./tests/ccc-os-c3.feature#CCC.OS.C3.TR02): Ensure that MFA is required for all administrative access to the storage management interface. | ||
| 3. [**CCC.OS.C3.TR03**](./tests/ccc-os-c3.feature#CCC.OS.C3.TR03): Confirm that users are unable to access the object storage bucket without completing MFA. | ||
|
|
||
| --- | ||
|
|
||
| ## CCC.OS.C4: Maintain immutable backups of data | ||
|
|
||
| - Corresponding Feature: CCC-020112 (Compliance and Governance) | ||
| - NIST CSF: Protect (PR.DS-1) | ||
| - MITRE ATT&CK TTP: [T1485 - Data Destruction](https://attack.mitre.org/techniques/T1485/) | ||
|
|
||
| ### Objective | ||
|
|
||
| Ensure that data stored in the object storage bucket is immutable for a defined period, preventing unauthorized modifications or deletions and thereby mitigating data destruction. | ||
|
|
||
| ### Control Mappings | ||
|
|
||
| - CCM: DSI-05, DSI-07 | ||
| - ISO/IEC 27001:2013 A.12.3.1 | ||
| - NIST SP 800-53: CP-9 | ||
|
|
||
| ### Testing Requirements | ||
|
|
||
| The following validations must be performed against corresponding Control Implementation capabilities to ensure the Control Objective is thoroughly assessed: | ||
|
|
||
| 1. **CCC.OS.C4.TR.01** {#CCC.OS.C4.TR.01}: Verify that data in the object storage bucket is protected by immutability settings. | ||
| 2. **CCC.OS.C4.TR.02** {#CCC.OS.C4.TR.02}: Ensure that attempts to modify or delete data within the immutability period are denied. | ||
| 3. **CCC.OS.C4.TR.03** {#CCC.OS.C4.TR.03}: Confirm that immutable data remains unchanged throughout the defined retention period. | ||
|
|
||
| --- | ||
|
|
||
| ## CCC.OS.C5: Log all access and changes to object storage | ||
|
|
||
| - Corresponding Feature: CCC-020118 (Logging) | ||
| - NIST CSF: Detect (DE.AE-3) | ||
| - MITRE ATT&CK TTP: [T1530: Data from Cloud Storage Object](https://attack.mitre.org/techniques/T1530) | ||
|
|
||
| ### Objective | ||
|
|
||
| Ensure that all access and changes to the object storage bucket are logged to maintain a detailed audit trail for security and compliance purposes. | ||
|
|
||
| ### Control Mappings | ||
|
|
||
| - CCM: DSI-06, STA-04 | ||
| - ISO/IEC 27001:2013 A.12.4.1 | ||
| - NIST SP 800-53: AU-2, AU-3 | ||
|
|
||
| ### Testing Requirements | ||
|
|
||
| The following validations must be performed against corresponding Control Implementation capabilities to ensure the Control Objective is thoroughly assessed: | ||
|
|
||
| 1. **CCC.OS.C5.TR.01** {#CCC.OS.C5.TR.01}: Verify that all access attempts to the object storage bucket are logged. | ||
| 2. **CCC.OS.C5.TR.02** {#CCC.OS.C5.TR.02}: Ensure that all changes to the object storage bucket configurations are logged. | ||
| 3. **CCC.OS.C5.TR.03** {#CCC.OS.C5.TR.03}: Confirm that logs are protected against unauthorized access and tampering. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,66 @@ | ||
| @CCC.OS.C1.TR01 | ||
| Feature: All supported network data protocols must be running on secure channels | ||
|
|
||
| """ | ||
| This feature ensures that all supported network data protocols are running on secure channels to protect data in transit. | ||
| """ | ||
|
|
||
| @CCC.OS.C1.TR01.T01 | ||
| Scenario: Ensure HTTPS succeeds | ||
| Given you own the object storage bucket | ||
| When an encrypted HTTPS request is made to the bucket | ||
| Then the request is allowed | ||
|
|
||
| @CCC.OS.C1.TR01.T02 | ||
| Scenario: Ensure SFTP succeeds | ||
| Given you own the object storage bucket | ||
| When an encrypted SFTP request is made to the bucket | ||
| Then the request is allowed | ||
|
|
||
| @CCC.OS.C1.TR01.T03 | ||
| Scenario: Ensure gRPC over TLS succeeds | ||
| Given you own the object storage bucket | ||
| When an encrypted gRPC request is made to the bucket | ||
| Then the request is allowed | ||
|
|
||
| --- | ||
|
|
||
| @CCC.OS.C1.TR02 | ||
| Feature: All clear text channels should be disabled | ||
|
|
||
| """ | ||
| This feature ensures that all clear text channels are disabled to prevent unencrypted data transmission. | ||
| """ | ||
|
|
||
| @CCC.OS.C1.TR02.T01 | ||
| Scenario: Ensure HTTP fails | ||
| Given you own the object storage bucket | ||
| When an HTTP request is made to the bucket | ||
| Then the request is denied | ||
|
|
||
| @CCC.OS.C1.TR02.T02 | ||
| Scenario: Ensure FTP fails | ||
| Given you own the object storage bucket | ||
| When an FTP request is made to the bucket | ||
| Then the request is denied | ||
|
|
||
| @CCC.OS.C1.TR02.T03 | ||
| Scenario: Ensure unencrypted gRPC fails | ||
| Given you own the object storage bucket | ||
| When an unencrypted gRPC request is made to the bucket | ||
| Then the request is denied | ||
|
|
||
| --- | ||
|
|
||
| @CCC.OS.C1.TR03 | ||
| Feature: The cipher suite implemented should conform with the latest suggested cipher suites | ||
|
|
||
| """ | ||
| This feature ensures that the cipher suite implemented for data encryption conforms with the latest suggested standards. | ||
| """ | ||
|
|
||
| @CCC.OS.C1.TR03.T01 | ||
| Scenario: Ensure all known weak cipher suites are not supported | ||
| Given you own the object storage bucket | ||
| When a request with a weak cipher suite is made to the bucket | ||
| Then the request must fail |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| @CCC.OS.C3.TR01 | ||
| Feature: Verify that MFA is enforced for all access attempts to the object storage bucket | ||
|
|
||
| """ | ||
| This feature ensures that multi-factor authentication (MFA) is enforced for all access attempts to the object storage bucket. | ||
| """ | ||
|
|
||
| @CCC.OS.C3.TR01.T01 | ||
| Scenario: Enforce MFA for access | ||
| Given you own the object storage bucket | ||
| When an access attempt is made to the bucket | ||
| Then MFA is enforced | ||
|
|
||
| --- | ||
|
|
||
| @CCC.OS.C3.TR02 | ||
| Feature: Verify that MFA is enforced for all access attempts to the object storage bucket | ||
|
|
||
| """ | ||
| This feature ensures that multi-factor authentication (MFA) is required for all administrative access to the object storage bucket. | ||
| """ | ||
|
|
||
| @CCC.OS.C3.TR02.T01 | ||
| Scenario: Require MFA for administrative access | ||
| Given you own the object storage bucket | ||
| When administrative access is attempted | ||
| Then MFA is required | ||
|
|
||
| --- | ||
|
|
||
| @CCC.OS.C3.TR03 | ||
| Feature: Verify that MFA is enforced for all access attempts to the object storage bucket | ||
|
|
||
| """ | ||
| This feature ensures that access to the object storage bucket is blocked if multi-factor authentication (MFA) is not used. | ||
| """ | ||
|
|
||
| @CCC.OS.C3.TR03.T01 | ||
| Scenario: Block access without MFA | ||
| Given you own the object storage bucket | ||
| When an access attempt is made without MFA | ||
| Then access is denied |