Transformed md files to yaml

Signed-off-by: Eddie Knight <[email protected]>
finos · Aug 15, 2024 · e393f9c · e393f9c
1 parent 6d3c1bf
commit e393f9c
Show file tree

Hide file tree

Showing 5 changed files with 179 additions and 40 deletions.
diff --git a/services/storage/object/controls.yaml b/services/storage/object/controls.yaml
@@ -0,0 +1,95 @@
+title: CCC Object Storage Security Controls
+category-id: CCC.OS
+controls:
+  - id: CCC.OS.C1
+    feature_id: CCC.OS.F15
+    title: Prevent unencrypted requests to object storage bucket
+    objective: Prevent any unencrypted requests to the object storage bucket, ensuring that all communications are encrypted in transit to protect data integrity and confidentiality.
+    nist_csf: PR.DS-2
+    mitre_attack: T1573
+    control_mappings:
+      CCM: 
+        - IVS-09
+        - DSI-03
+      ISO_27001: 
+        - 2013 A.13.1.1
+      NIST_800_53: 
+        - SC-8
+        - SC-13
+    test_requirements:
+      01: All supported network data protocols must be running on secure channels.
+      02: All clear text channels should be disabled.
+      03: The cipher suite implemented for ensuring the integrity and confidentiality of data should conform with the latest suggested cipher suites. [NIST proposed latest standard cipher suites](<[#](https://csrc.nist.gov/pubs/sp/800/52/r2/final)>).
+  - id: CCC.OS.C2
+    feature_id: CCC.OS.F14
+    title: Ensure data encryption at rest
+    objective: Ensure that all data stored within the object storage service is encrypted at rest to maintain confidentiality and integrity.
+    nist_csf: PR.DS-1
+    mitre_attack: T1486
+    control_mappings:
+      CCM: 
+        - DSI-01
+        - DSI-02
+      ISO_27001: 
+        - 2013 A.10.1.1
+      NIST_800_53: 
+        - SC-28
+    test_requirements:
+      01: Verify that data stored in the object storage bucket is encrypted using industry-standard algorithms.
+      02: Ensure that encryption keys are managed securely and rotated periodically.
+      03: Confirm that decryption is only possible through authorized access mechanisms.
+  - id: CCC.OS.C3
+    feature_id: CCC.OS.F16
+    title: Implement multi-factor authentication (MFA) for access
+    objective: Ensure that all human user access to object storage buckets requires multi-factor authentication (MFA), minimizing the risk of unauthorized access by enforcing strong authentication mechanisms.
+    nist_csf: PR.AC-7
+    mitre_attack: T1078
+    control_mappings:
+      CCM: 
+        - IAM-03
+        - IAM-08
+      ISO_27001: 
+        - 2013 A.9.4.2
+      NIST_800_53: 
+        - IA-2
+    test_requirements:
+      01: Verify that MFA is enforced for all access attempts to the object storage bucket.
+      02: Ensure that MFA is required for all administrative access to the storage management interface.
+      03: Confirm that users are unable to access the object storage bucket without completing MFA.
+  - id: CCC.OS.C4
+    feature_id: CCC.OS.F12
+    title: Maintain immutable backups of data
+    objective: Ensure that data stored in the object storage bucket is immutable for a defined period, preventing unauthorized modifications or deletions and thereby mitigating data destruction.
+    nist_csf: PR.DS-1
+    mitre_attack: T1485
+    control_mappings:
+      CCM: 
+        - DSI-05
+        - DSI-07
+      ISO_27001: 
+        - 2013 A.12.3.1
+      NIST_800_53: 
+        - CP-9
+    test_requirements:
+      01: Verify that data in the object storage bucket is protected by immutability settings.
+      02: Ensure that attempts to modify or delete data within the immutability period are denied.
+      03: Confirm that immutable data remains unchanged throughout the defined retention period.
+  - id: CCC.OS.C5
+    feature_id: CCC.OS.F18
+    title: Log all access and changes to object storage
+    objective: Ensure that all access and changes to the object storage bucket are logged to maintain a detailed audit trail for security and compliance purposes.
+    nist_csf: DE.AE-3
+    mitre_attack: T1530
+    control_mappings:
+      CCM: 
+        - DSI-06
+        - STA-04
+      ISO_27001: 
+        - 2013 A.12.4.1
+      NIST_800_53: 
+        - AU-2
+        - AU-3
+    test_requirements:
+      01: Verify that all access attempts to the object storage bucket are logged.
+      02: Ensure that all changes to the object storage bucket configurations are logged.
+      03: Confirm that logs are protected against unauthorized access and tampering.
diff --git a/services/storage/object/features.yaml b/services/storage/object/features.yaml
@@ -0,0 +1,60 @@
+title: CCC Object Storage Common Features
+category-id: CCC.OS
+features:
+  - id: CCC.OS.F01
+    title: Buckets
+    description: Concept of having uniquely identifiable containers in which objects exist.
+  - id: CCC.OS.F02
+    title: Metadata
+    description: Support storing, accessing, and managing of object metadata for stored objects.
+  - id: CCC.OS.F03
+    title: Scalability - Capacity Limit
+    description: Ability to store unlimited number of objects under a given maximum total capacity per bucket.
+  - id: CCC.OS.F04  
+    title: Scalability - Object Size Limit
+    description: Ability to store large objects under a given maximum object size.
+  - id: CCC.OS.F05
+    title: Durability
+    description: High durability for stored objects through redundancy and replication.
+  - id: CCC.OS.F06
+    title: Availability
+    description: High availability for stored objects through replication over multiple (availability) zones within a region.
+  - id: CCC.OS.F07
+    title: Performance - Transaction Rate Limits
+    description: High throughput and low latency for read/write operations under given maximum transaction rate limits.
+  - id: CCC.OS.F08
+    title: Performance - Querying
+    description: Ability to perform simple select queries to retrieve only a subset of objects from the bucket.
+  - id: CCC.OS.F09
+    title: Storage Classes
+    description: Having different storage classes for frequently and infrequently accessed objects.
+  - id: CCC.OS.F10
+    title: Lifecycle Policies
+    description: Ability to define policies to automate data management tasks.
+  - id: CCC.OS.F11
+    title: Versioning
+    description: Ability to keep multiple versions of an object in the same bucket.
+  - id: CCC.OS.F12
+    title: Compliance and Governance
+    description: Ability to create locks on objects disabling modification and/or deletion of an object for a given period of time.
+  - id: CCC.OS.F13
+    title: Event Notifications
+    description: Publish object level events for creation, deletion and modification of objects allowing users to trigger actions in response.
+  - id: CCC.OS.F14
+    title: Encryption at Rest
+    description: Data should be encrypted before storing by default. Should also make the option available for clients to maintain control over the encryptin keys.
+  - id: CCC.OS.F15
+    title: Encryption in Transit
+    description: Ability to encrypt data in transit using SSL/TSL.
+  - id: CCC.OS.F16
+    title: Identity Based Access Control
+    description: Ability to limit the users/roles who can access the object store.
+  - id: CCC.OS.F17
+    title: Object Level Access Control
+    description: Ability to control access to specific objects on the object store.
+  - id: CCC.OS.F18
+    title: Logging
+    description: Ability to log access, allowing the clients to track requests made to the object store.
+  - id: CCC.OS.F19
+    title: Signed URLs
+    description: Ability to give temporary access to objects and buckets through a signed URL or signed access token.
diff --git a/services/storage/object/taxonomy.md b/services/storage/object/taxonomy.md
diff --git a/services/storage/object/threats.md b/services/storage/object/threats.md
diff --git a/services/storage/object/threats.yaml b/services/storage/object/threats.yaml
@@ -0,0 +1,24 @@
+title: CCC Object Storage Security Threats
+category-id: CCC.OS
+threats:
+  - id: CCC.OS.T01
+    title: Attacker intercepts data in transit to a bucket
+    description: The object storage service allows communication over HTTP. An attacker can intercept the traffic you send to bucket, in order to read or modify the data.
+    feature_id: CCC.OS.F15
+    mitre_attack: 
+      - TA009
+      - T1557
+  - id: CCC.OS.T02
+    title: Attacker encrypts objects for ransomware
+    description: The object storage service provides several types of encryption where the key is not operated by the CSP. An attacker can encrypt all the data stored in the bucket to ransom the data owner to get the decryption key. Alternatively, an attacker can change the default encryption key, for a similar effect on any new data uploaded.
+    feature_id: CCC.OS.F14
+    mitre_attack: 
+      - TA0040
+      - T1486
+  - id: CCC.OS.T03
+    title: Attacker grants bucket access to untrusted principals
+    description: The bucket access controls (e.g. ACLs, bucket policies) can enable access to objects owned by the bucket. An attacker (or someone by negligence) can change (i.e., impair) the bucket access controls and make the content accessible to untrusted principals (via public endpoints, cross-account VPC endpoints, or cross-account access point).
+    feature_id: CCC.OS.F16
+    mitre_attack: 
+      - TA0005
+      - T1562