Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend Object Storage Controls #263

Merged
merged 11 commits into from
Aug 2, 2024
Merged

Extend Object Storage Controls #263

merged 11 commits into from
Aug 2, 2024

Conversation

mlysaght2017
Copy link
Contributor

Addresses #188

  • Adds 7 new control objectives with mappings
  • New column to include MITRE ATT&CK TTP mappings directly
  • New column to give the full service feature name
  • New column to including mappings to existing controls with examples for CSA CCM

@mlysaght2017 mlysaght2017 requested a review from a team as a code owner July 18, 2024 11:50
@robmoffat robmoffat mentioned this pull request Jul 18, 2024
Closed
8 tasks
nas-hub
nas-hub reviewed Jul 18, 2024
View reviewed changes
services/storage/object/controls.md Outdated
| Control Id | Objective | Test | Service Taxonomy Id | Full Service Feature Name | NIST CSF | MITRE ATT&CK TTPs | Control Mappings |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we consider having Control Testing Requirements as a column; These requirements will define the scope of tests which comprehensively ensures that Control is fullfilling the defined Objective.

Copy link
Contributor Author

@mlysaght2017 mlysaght2017 Jul 18, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can certainly experiment, yes. Can you give a rough feel for what the hierarchy would look like from objective -> test reqs -> tests, relative to one or two of the control objectives/tests here.

services/storage/object/controls.md Outdated
| Control Id | Objective | Test | Service Taxonomy Id | Full Service Feature Name | NIST CSF | MITRE ATT&CK TTPs | Control Mappings |
|------------|-----------|------|---------------------|---------------------------|----------|-------------------|------------------|
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Objective in general are highlevel - there may be a need for us to have a level of hierarchy where an Object maps to multiple Test Requirements and each requiremnt has multiple Tests.

Copy link
Contributor

@eddie-knight eddie-knight Jul 21, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering whether we should switch up our approach here.

Perhaps we start with a summary table that is a pared-down version of this, and then the rest of the document can contain deep-dives of each control.

Here's a quick and dirty example... I created a template very loosely inspired by CIS and threw a few rows in.

Would something like this fit with y'alls vision / experience?

@mlysaght2017 @nas-hub @jared-lambert @rowan-baker @kennydunn72

CCC.OS: Object Storage

Control Id Service Taxonomy Id Control
CCC.OS.C1 CCC-020115 Prevent unencrypted requests to object storage bucket
CCC.OS.C2 CCC-020114 Prevent object storage data encrypted for impact
CCC.OS.C3 CCC-020116 Prevent granting direct public access to object storage bucket

CCC.OS.C1: Prevent unencrypted requests to object storage bucket

Corresponding Feature: CCC-020115 (Encryption in Transit)
NIST CSF: Protect (PR.DS-2)
MITRE ATT&CK TTP: T1040 - Network Sniffing

Objective

Prevent any unencrypted HTTP requests to the object storage bucket, ensuring that all communications are encrypted in transit to protect data integrity and confidentiality.

Tests

CCC.OS.C1.01: Ensure HTTPS succeeds

  • Given you own the object storage bucket
  • When an encrypted HTTPS request is made to the bucket
  • Then the request is allowed

CCC.OS.C1.02: Ensure HTTP fails

  • Given you own the object storage bucket
  • When an unencrypted HTTP request is made to the bucket
  • Then the request is denied

Control Mappings

  • CCM: IVS-09, DSI-03

CCC.OS.C2: Prevent object storage data encrypted for impact

Corresponding Feature: CCC-020114 (Encryption at Rest)
NIST CSF: Protect (PR.DS-1)
MITRE ATT&CK TTP: T1486 - Data Encrypted for Impact

Objective

Ensure that data within the object storage bucket is not encrypted with an untrusted Key Management Service (KMS) key, thereby protecting data integrity and preventing unauthorized access.

Tests

CCC.OS.C2.01: Ensure trusted KMS key succeeds

  • Given you own the object storage bucket
  • When a data plane request with a trusted KMS key is made to the object storage bucket
  • Then the request is allowed

CCC.OS.C2.02: Ensure untrusted KMS key fails

  • Given you own the object storage bucket
  • When a data plane request with an untrusted KMS key is made to the object storage bucket
  • Then the request is denied

Control Mappings

  • CCM: DSI-01, DSI-02

CCC.OS.C3: Prevent granting direct public access to object storage bucket

Corresponding Feature: CCC-020116 (Identity Based Access Control)
NIST CSF: Protect (PR.AC-4)
MITRE ATT&CK TTP: T1530 - Data from Cloud Storage Object

Objective

Prevent the object storage bucket from being publicly accessible by controlling and restricting access permissions to only authorized users, thus protecting the data from unauthorized access.

Tests

CCC.OS.C3.01: Ensure privileged requests succeed

  • Given you own the object storage bucket
  • When a request is made from a privileged user
  • Then the request is allowed

CCC.OS.C3.02: Ensure non-privileged requests fail

  • Given you own the object storage bucket
  • When a request is made from a non-privileged user
  • Then the request is denied

Control Mappings

  • CCM: IVS-07, DSI-04

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nas-hub @damienjburks @eddie-knight @rowan-baker - made updates to align to template and added in separate gherkin feature files for two of the controls. The test requirements map to the gherkin features and then within each test requirement/feature there are individual tests/scenarios. There are links between the testing requirement in the catalog and the corresponding feature within the gherkin files. Agree with @damienjburks that we should have the taxonomy features tagged so we can link to those as well.

@mlysaght2017
Copy link
Contributor Author

mlysaght2017 commented Jul 21, 2024 via email

@nas-hub
Copy link
Contributor

nas-hub commented Jul 21, 2024
edited
Loading

Yes, that looks good, the idea is that a control will require multiple tests to ensure its complete assessment and fulfillment of its objective. Parallel to that defining the expectations of assessment as "Testing Requirements" will set the scope and draw boundaries of the tests that are expected. Both above combined together will help lead towards automated assessments.

For Example:

CCC.OS.C1: Prevent unencrypted requests to object storage bucket

Corresponding Feature: CCC-020115 (Encryption in Transit)
NIST CSF: Protect (PR.DS-2)
MITRE ATT&CK TTP: T1040 - Network Sniffing Consider: T1573 - Encrypted Channels

Objective

Prevent any unencrypted requests to the object storage bucket, ensuring that all communications are encrypted in transit to protect data integrity and confidentiality.

Testing Requirements

The follow validations must be performed against corresponding Control Implementation capabilities to ensure the Control Objective is thoroughly assessed:

CCC.OS.C1.TR.01 {#CCC.OS.C1.TR.01} : All supported network data protocols must be running on secure channels.

CCC.OS.C1.TR..02 {#CCC.OS.C1.TR.02} : All clear text channels should be disabled

CCC.OS.C1.TR..03 {#CCC.OS.C1.TR.03} : The cipher suite implemented for ensuring the integrity and confidentiality of data should conform with the latest suggested cipher suites. TODO: Link NIST/MITRE proposed latest standard cipher suites.

CCC.OS.C1.TR..04 {#CCC.OS.C1.TR.04}: Add new requirement here

Tests

CCC.OS.C1.01: Ensure HTTPS succeeds

  • Given you own the object storage bucket
  • When an encrypted HTTPS request is made to the bucket
  • Then the request is allowed

Requirements Coverage [ CCC.OS.C1.TR.01, ]

CCC.OS.C1.02: Ensure SFTP succeeds

  • Given you own the object storage bucket
  • When an encrypted SFTP request is made to the bucket
  • Then the request is allowed

Requirements Coverage [ CCC.OS.C1.TR.01, ]

CCC.OS.C1.02: Ensure gRPC over TLS succeeds

  • Given you own the object storage bucket
  • When an encrypted gRPC request is made to the bucket
  • Then the request is allowed

Requirements Coverage [ CCC.OS.C1.TR.01, ]

CCC.OS.C1.02: Ensure HTTP fails

  • Given you own the object storage bucket
  • When an HTTP request is made to the bucket
  • Then the request is denied

Requirements Coverage [ CCC.OS.C1.TR.02, ]

CCC.OS.C1.02: Ensure FTP fails

  • Given you own the object storage bucket
  • When an FTP request is made to the bucket
  • Then the request is denied

Requirements Coverage [ CCC.OS.C1.TR.02, ]

CCC.OS.C1.02: Ensure gRPC fails

  • Given you own the object storage bucket
  • When an unencrypted gRPC request is made to the bucket
  • Then the request is denied

Requirements Coverage [ CCC.OS.C1.TR.02, ]

CCC.OS.C1.02: Ensure all known weak cipher suites are not supported

Referenced List of WEAK_CIPHERS = {ref:}

  • Given you own the object storage bucket
  • When an request with CIPHER: < list:WEAK_CIPHERS > made to the bucket
  • Then the request must fail

Requirements Coverage [ CCC.OS.C1.TR.03, ]

@damienjburks
Copy link
Contributor

damienjburks commented Jul 21, 2024
edited
Loading

I like the way this is going. I think we will want to break out the gherkin tests into their own files and tag them accordingly. We can create a tests folder in the parent directory, and move all Gherkin files into it. This'll make it easier to implement automated tests for the assessments of the controls, rather than parsing the markdown file and attempting to derive all the information from there.

Example:

@CCC.OS.C1.05
Feature: Ensure all known weak cipher suites are not supported
  Scenario: Ensure all known weak cipher suites are not supported
    GIVEN you own the object storage bucket
    WHEN an request with CIPHER: < list:WEAK_CIPHERS > made to the bucket
    THEN the request must fail

@CCC.OS.C1.04
Feature: Ensure gRPC fails
  Scenario: Ensure gRPC fails
    GIVEN you own the object storage bucket
    WHEN an unencrypted gRPC request is made to the bucket
    THEN the request is denied

If we do plan to follow this, I also think it would be ideal to include links to the headings of both the controls and the taxonomy IDs, as listed below as a brief example:

| Control Id | Taxonomy Service ID| Objective |
|------------|-----------|---|
|[CCC.OS.C1](#ccc.os.c1)|[CCC-020115](./taxonomy.md#ccc-020115)| Prevent unencrypted requests to object storage bucket|

@nas-hub
Copy link
Contributor

nas-hub commented Jul 21, 2024

Yes, separating gherkin in its own file sounds good. We need to ensure that there is mechanism in place for us to reference the Control Testing Requirement ID from the gherkin test file: Probably we can use a structured preamble that references the testing requirements being fulfilled by the test.

Feature: Ensure all known weak cipher suites are not supported

  """
  Requirement Ids: [CCC.OS.C1.TR.03, ]
  This feature describes the user login process.
  It includes scenarios for successful and unsuccessful login attempts.
  """

Scenario: Successful login
   Given the user is on the login page
   When the user enters their username and password
   And the user clicks the login button
   Then the user should be redirected to the home page

Key points:

  • From a mapping point of view - A Test can fulfill multiple Control Testing Requirements. (N-N relationship between Test and Testing Requirement. Mapping can be maintained in gherkins file.)
  • Roles and Responsibilities can also be better defined and managed. A Controls Assessment Team can be responsible for define the Controls Testing Requirements, Controls Security Engineer can be developing the gherkins. Over time the Tests will grow to improve the effectiveness of fulfilling a defined set of Controls Testing Requirements.

@eddie-knight eddie-knight mentioned this pull request Jul 24, 2024
Merged
@mlysaght2017 mlysaght2017 requested a review from rowan-baker July 27, 2024 20:53
This was referenced Aug 1, 2024
Closed
Merged
@eddie-knight eddie-knight requested a review from a team as a code owner August 1, 2024 16:14
damienjburks
damienjburks previously approved these changes Aug 1, 2024
View reviewed changes
eddie-knight
eddie-knight previously approved these changes Aug 1, 2024
View reviewed changes
@eddie-knight
Copy link
Contributor

I recommend merging a CODEOWNERS change in a separate PR, to make sure that the Taxonomy WG isn't errantly required as reviewers.

@mlysaght2017 mlysaght2017 dismissed stale reviews from eddie-knight and damienjburks via 35c62df August 2, 2024 09:35
eddie-knight added a commit that referenced this pull request Aug 2, 2024
@eddie-knight
Added Security WG codeowners for *.feature
733aab3 
This will unblock #263
@eddie-knight eddie-knight mentioned this pull request Aug 2, 2024
Closed
@damienjburks damienjburks mentioned this pull request Aug 2, 2024
Merged
@eddie-knight eddie-knight merged commit 82691d0 into finos:main Aug 2, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nas-hub nas-hub nas-hub left review comments

@eddie-knight eddie-knight eddie-knight left review comments

@damienjburks damienjburks damienjburks approved these changes

@rowan-baker rowan-baker Awaiting requested review from rowan-baker

Assignees
No one assigned
Labels
control definitions security
Projects
FINOS Common Cloud Controls - Project Kanban
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mlysaght2017 @nas-hub @damienjburks @eddie-knight