diff --git a/services/storage/object/controls.md b/services/storage/object/controls.md index 77b95b43..d55978e1 100644 --- a/services/storage/object/controls.md +++ b/services/storage/object/controls.md @@ -1,11 +1,139 @@ -# Object Storage Controls +# CCC.OS: Object Storage -This document contains an abstracted list of controls based on the Threats for Object Storage. The scope of these controls expand across various cloud service providers. +| Control Id | Service Taxonomy Id | Control | +| ---------- | ------------------- | ------------------------------------------------------ | +| CCC.OS.C1 | CCC-020115 | Prevent unencrypted requests to object storage bucket | +| CCC.OS.C2 | CCC-020114 | Ensure data encryption at rest | +| CCC.OS.C3 | CCC-020116 | Implement multi-factor authentication (MFA) for access | +| CCC.OS.C4 | CCC-020112 | Maintain immutable backups of data | +| CCC.OS.C5 | CCC-020118 | Log all access and changes to object storage bucket | -## Controls +--- -| Control Id | Objective | Description | Test | Service Taxonomy Id | NIST CSF | MITRE ATT&CK Mitigations | Threats | -| ---------- | --------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | -------- | ---------------------------------------------------- | --------- | -| CCC.OS.C1 | Prevent unencrypted requests to object storage bucket | Block all unencrypted requests to the object storage bucket you own | GIVEN you own the object storage bucket; WHEN an unencrypted HTTP request is made to the bucket; THEN the request should be denied | CCC-020115 | Protect | [M1041](https://attack.mitre.org/mitigations/M1041) | CCC.OS.T1 | -| CCC.OS.C2 | Prevent object storage data encrypted for impact | Block data plane requests with untrusted KMS keys to the object storage bucket you own | GIVEN you own the object storage bucket; WHEN a data plane request with an untrusted KMS key is made to the object storage bucket; THEN the request should be denied | CCC-020114 | Protect | None | CCC.OS.T2 | -| CCC.OS.C3 | Prevent the granting of direct public access to the object storage bucket you own | Block the creation or update of buckets with public access | GIVEN you own the object storage bucket; WHEN the access controls on the bucket are updated to grant public access to the bucket; THEN the request should be denied | CCC-020116 | Protect | [M1022](https://attack.mitre.org/mitigations/M1022/) | CCC.OS.T3 | +## CCC.OS.C1: Prevent unencrypted requests to object storage bucket + +- Corresponding Feature: CCC-020115 (Encryption in Transit) +- NIST CSF: Protect (PR.DS-2) +- MITRE ATT&CK TTP: T1573 - Encrypted Channels + +### Objective + +Prevent any unencrypted requests to the object storage bucket, ensuring that all communications are encrypted in transit to protect data integrity and confidentiality. + +### Control Mappings + +- CCM: IVS-09, DSI-03 +- ISO/IEC 27001:2013 A.13.1.1 +- NIST SP 800-53: SC-8, SC-13 + +### Testing Requirements + +The following validations must be performed against corresponding Control Implementation capabilities to ensure the Control Objective is thoroughly assessed: + +1. [**CCC.OS.C1.TR01**](./tests/ccc-os-c1.feature#CCC.OS.C1.TR01): All supported network data protocols must be running on secure channels. +2. [**CCC.OS.C1.TR02**](./tests/ccc-os-c1.feature#CCC.OS.C1.TR02): All clear text channels should be disabled. +3. [**CCC.OS.C1.TR03**](./tests/ccc-os-c1.feature#CCC.OS.C1.TR03): The cipher suite implemented for ensuring the integrity and confidentiality of data should conform with the latest suggested cipher suites. [NIST proposed latest standard cipher suites](<[#](https://csrc.nist.gov/pubs/sp/800/52/r2/final)>). + +--- + +## CCC.OS.C2: Ensure data encryption at rest + +- Corresponding Feature: CCC-020114 (Encryption at Rest) +- NIST CSF: Protect (PR.DS-1) +- MITRE ATT&CK TTP: [T1486 - Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486/) + +### Objective + +Ensure that all data stored within the object storage service is encrypted at rest to maintain confidentiality and integrity. + +### Control Mappings + +- CCM: DSI-01, DSI-02 +- ISO/IEC 27001:2013 A.10.1.1 +- NIST SP 800-53: SC-28 + +### Testing Requirements + +The following validations must be performed against corresponding Control Implementation capabilities to ensure the Control Objective is thoroughly assessed: + +1. **CCC.OS.C2.TR.01** {#CCC.OS.C2.TR.01}: Verify that data stored in the object storage bucket is encrypted using industry-standard algorithms. +2. **CCC.OS.C2.TR.02** {#CCC.OS.C2.TR.02}: Ensure that encryption keys are managed securely and rotated periodically. +3. **CCC.OS.C2.TR.03** {#CCC.OS.C2.TR.03}: Confirm that decryption is only possible through authorized access mechanisms. + +--- + +## CCC.OS.C3: Implement multi-factor authentication (MFA) for access + +- Corresponding Feature: CCC-020116 (Identity Based Access Control) +- NIST CSF: Protect (PR.AC-7) +- MITRE ATT&CK TTP: [T1078 - Valid Accounts](https://attack.mitre.org/techniques/T1078/) + +### Objective + +Ensure that all human user access to object storage buckets requires multi-factor authentication (MFA), minimizing the risk of unauthorized access by enforcing strong authentication mechanisms. + +### Control Mappings + +- CCM: IAM-03, IAM-08 +- ISO/IEC 27001:2013 A.9.4.2 +- NIST SP 800-53: IA-2 + +### Testing Requirements + +The following validations must be performed against corresponding Control Implementation capabilities to ensure the Control Objective is thoroughly assessed: + +1. [**CCC.OS.C3.TR01**](./tests/ccc-os-c3.feature#CCC.OS.C3.TR01): Verify that MFA is enforced for all access attempts to the object storage bucket. +2. [**CCC.OS.C3.TR02**](./tests/ccc-os-c3.feature#CCC.OS.C3.TR02): Ensure that MFA is required for all administrative access to the storage management interface. +3. [**CCC.OS.C3.TR03**](./tests/ccc-os-c3.feature#CCC.OS.C3.TR03): Confirm that users are unable to access the object storage bucket without completing MFA. + +--- + +## CCC.OS.C4: Maintain immutable backups of data + +- Corresponding Feature: CCC-020112 (Compliance and Governance) +- NIST CSF: Protect (PR.DS-1) +- MITRE ATT&CK TTP: [T1485 - Data Destruction](https://attack.mitre.org/techniques/T1485/) + +### Objective + +Ensure that data stored in the object storage bucket is immutable for a defined period, preventing unauthorized modifications or deletions and thereby mitigating data destruction. + +### Control Mappings + +- CCM: DSI-05, DSI-07 +- ISO/IEC 27001:2013 A.12.3.1 +- NIST SP 800-53: CP-9 + +### Testing Requirements + +The following validations must be performed against corresponding Control Implementation capabilities to ensure the Control Objective is thoroughly assessed: + +1. **CCC.OS.C4.TR.01** {#CCC.OS.C4.TR.01}: Verify that data in the object storage bucket is protected by immutability settings. +2. **CCC.OS.C4.TR.02** {#CCC.OS.C4.TR.02}: Ensure that attempts to modify or delete data within the immutability period are denied. +3. **CCC.OS.C4.TR.03** {#CCC.OS.C4.TR.03}: Confirm that immutable data remains unchanged throughout the defined retention period. + +--- + +## CCC.OS.C5: Log all access and changes to object storage + +- Corresponding Feature: CCC-020118 (Logging) +- NIST CSF: Detect (DE.AE-3) +- MITRE ATT&CK TTP: [T1530: Data from Cloud Storage Object](https://attack.mitre.org/techniques/T1530) + +### Objective + +Ensure that all access and changes to the object storage bucket are logged to maintain a detailed audit trail for security and compliance purposes. + +### Control Mappings + +- CCM: DSI-06, STA-04 +- ISO/IEC 27001:2013 A.12.4.1 +- NIST SP 800-53: AU-2, AU-3 + +### Testing Requirements + +The following validations must be performed against corresponding Control Implementation capabilities to ensure the Control Objective is thoroughly assessed: + +1. **CCC.OS.C5.TR.01** {#CCC.OS.C5.TR.01}: Verify that all access attempts to the object storage bucket are logged. +2. **CCC.OS.C5.TR.02** {#CCC.OS.C5.TR.02}: Ensure that all changes to the object storage bucket configurations are logged. +3. **CCC.OS.C5.TR.03** {#CCC.OS.C5.TR.03}: Confirm that logs are protected against unauthorized access and tampering. diff --git a/services/storage/object/tests/ccc-os-c1.feature b/services/storage/object/tests/ccc-os-c1.feature new file mode 100644 index 00000000..7aaccf15 --- /dev/null +++ b/services/storage/object/tests/ccc-os-c1.feature @@ -0,0 +1,66 @@ +@CCC.OS.C1.TR01 +Feature: All supported network data protocols must be running on secure channels + +""" +This feature ensures that all supported network data protocols are running on secure channels to protect data in transit. +""" + +@CCC.OS.C1.TR01.T01 +Scenario: Ensure HTTPS succeeds + Given you own the object storage bucket + When an encrypted HTTPS request is made to the bucket + Then the request is allowed + +@CCC.OS.C1.TR01.T02 +Scenario: Ensure SFTP succeeds + Given you own the object storage bucket + When an encrypted SFTP request is made to the bucket + Then the request is allowed + +@CCC.OS.C1.TR01.T03 +Scenario: Ensure gRPC over TLS succeeds + Given you own the object storage bucket + When an encrypted gRPC request is made to the bucket + Then the request is allowed + +--- + +@CCC.OS.C1.TR02 +Feature: All clear text channels should be disabled + +""" +This feature ensures that all clear text channels are disabled to prevent unencrypted data transmission. +""" + +@CCC.OS.C1.TR02.T01 +Scenario: Ensure HTTP fails + Given you own the object storage bucket + When an HTTP request is made to the bucket + Then the request is denied + +@CCC.OS.C1.TR02.T02 +Scenario: Ensure FTP fails + Given you own the object storage bucket + When an FTP request is made to the bucket + Then the request is denied + +@CCC.OS.C1.TR02.T03 +Scenario: Ensure unencrypted gRPC fails + Given you own the object storage bucket + When an unencrypted gRPC request is made to the bucket + Then the request is denied + +--- + +@CCC.OS.C1.TR03 +Feature: The cipher suite implemented should conform with the latest suggested cipher suites + +""" +This feature ensures that the cipher suite implemented for data encryption conforms with the latest suggested standards. +""" + +@CCC.OS.C1.TR03.T01 +Scenario: Ensure all known weak cipher suites are not supported + Given you own the object storage bucket + When a request with a weak cipher suite is made to the bucket + Then the request must fail diff --git a/services/storage/object/tests/ccc-os-c3.feature b/services/storage/object/tests/ccc-os-c3.feature new file mode 100644 index 00000000..f42bdaeb --- /dev/null +++ b/services/storage/object/tests/ccc-os-c3.feature @@ -0,0 +1,42 @@ +@CCC.OS.C3.TR01 +Feature: Verify that MFA is enforced for all access attempts to the object storage bucket + +""" +This feature ensures that multi-factor authentication (MFA) is enforced for all access attempts to the object storage bucket. +""" + +@CCC.OS.C3.TR01.T01 +Scenario: Enforce MFA for access + Given you own the object storage bucket + When an access attempt is made to the bucket + Then MFA is enforced + +--- + +@CCC.OS.C3.TR02 +Feature: Verify that MFA is enforced for all access attempts to the object storage bucket + +""" +This feature ensures that multi-factor authentication (MFA) is required for all administrative access to the object storage bucket. +""" + +@CCC.OS.C3.TR02.T01 +Scenario: Require MFA for administrative access + Given you own the object storage bucket + When administrative access is attempted + Then MFA is required + +--- + +@CCC.OS.C3.TR03 +Feature: Verify that MFA is enforced for all access attempts to the object storage bucket + +""" +This feature ensures that access to the object storage bucket is blocked if multi-factor authentication (MFA) is not used. +""" + +@CCC.OS.C3.TR03.T01 +Scenario: Block access without MFA + Given you own the object storage bucket + When an access attempt is made without MFA + Then access is denied \ No newline at end of file