Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extend Object Storage Controls #263

Merged
merged 11 commits into from
Aug 2, 2024
Merged

Extend Object Storage Controls #263

Changes from 3 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
8fee1b7
Add in new perimeter control and remove description column as it effe…
mlysaght2017 Jul 18, 2024
c7da0bf
Add in new controls on data destruction, mfa, tls
mlysaght2017 Jul 18, 2024
53b2f66
Add in new controls and change headings to include mitre ttps, contro…
mlysaght2017 Jul 18, 2024
e1cde02
Update control catalog to align with new community guidelines template
mlysaght2017 Jul 27, 2024
01c63a2
Remove lock files
mlysaght2017 Jul 27, 2024
5c6c4b0
Add in separate gherkin test files with linking from control catalog
mlysaght2017 Jul 27, 2024
d71d447
Add in more relevant mitre ttp for logging control
mlysaght2017 Jul 27, 2024
49a18f0
Merge branch 'main' into extend_object_store_controls
eddie-knight Aug 1, 2024
19fb5e6
Fix empty link
mlysaght2017 Aug 2, 2024
35c62df
Merge branch 'extend_object_store_controls' of https://github.com/mly…
mlysaght2017 Aug 2, 2024
7b5dc50
formatting object storage and adding eddies suggestion
damienjburks Aug 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 12 additions & 5 deletions services/storage/object/controls.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,12 @@
| Control Id | Objective | Description | Test | Service Taxonomy Id | NIST CSF | MITRE ATT&CK Mitigations | Threats |
|------------|-----------|-------------|------|---------------------|---------|--------------------------|---------|
| CCC.OS.C1 | Prevent unencrypted requests to object storage bucket | Block all unencrypted requests to the object storage bucket you own | GIVEN you own the object storage bucket; WHEN an unencrypted HTTP request is made to the bucket; THEN the request should be denied | CCC-020115 | Protect | [M1041](https://attack.mitre.org/mitigations/M1041) | CCC.OS.T1 |
| CCC.OS.C2 | Prevent object storage data encrypted for impact | Block data plane requests with untrusted KMS keys to the object storage bucket you own | GIVEN you own the object storage bucket; WHEN a data plane request with an untrusted KMS key is made to the object storage bucket; THEN the request should be denied | CCC-020114 | Protect | None | CCC.OS.T2 |
| CCC.OS.C3 | Prevent the granting of direct public access to the object storage bucket you own | Block the creation or update of buckets with public access | GIVEN you own the object storage bucket; WHEN the access controls on the bucket are updated to grant public access to the bucket; THEN the request should be denied | CCC-020116 | Protect | [M1022](https://attack.mitre.org/mitigations/M1022/)| CCC.OS.T3 |
| Control Id | Objective | Test | Service Taxonomy Id | Full Service Feature Name | NIST CSF | MITRE ATT&CK TTPs | Control Mappings |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we consider having Control Testing Requirements as a column; These requirements will define the scope of tests which comprehensively ensures that Control is fullfilling the defined Objective.

Copy link
Contributor Author

@mlysaght2017 mlysaght2017 Jul 18, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can certainly experiment, yes. Can you give a rough feel for what the hierarchy would look like from objective -> test reqs -> tests, relative to one or two of the control objectives/tests here.

|------------|-----------|------|---------------------|---------------------------|----------|-------------------|------------------|
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Objective in general are highlevel - there may be a need for us to have a level of hierarchy where an Object maps to multiple Test Requirements and each requiremnt has multiple Tests.

Copy link
Contributor

@eddie-knight eddie-knight Jul 21, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering whether we should switch up our approach here.

Perhaps we start with a summary table that is a pared-down version of this, and then the rest of the document can contain deep-dives of each control.

Here's a quick and dirty example... I created a template very loosely inspired by CIS and threw a few rows in.

Would something like this fit with y'alls vision / experience?

@mlysaght2017 @nas-hub @jared-lambert @rowan-baker @kennydunn72

CCC.OS: Object Storage

Control Id Service Taxonomy Id Control
CCC.OS.C1 CCC-020115 Prevent unencrypted requests to object storage bucket
CCC.OS.C2 CCC-020114 Prevent object storage data encrypted for impact
CCC.OS.C3 CCC-020116 Prevent granting direct public access to object storage bucket

CCC.OS.C1: Prevent unencrypted requests to object storage bucket

Corresponding Feature: CCC-020115 (Encryption in Transit)
NIST CSF: Protect (PR.DS-2)
MITRE ATT&CK TTP: T1040 - Network Sniffing

Objective

Prevent any unencrypted HTTP requests to the object storage bucket, ensuring that all communications are encrypted in transit to protect data integrity and confidentiality.

Tests

CCC.OS.C1.01: Ensure HTTPS succeeds

  • Given you own the object storage bucket
  • When an encrypted HTTPS request is made to the bucket
  • Then the request is allowed

CCC.OS.C1.02: Ensure HTTP fails

  • Given you own the object storage bucket
  • When an unencrypted HTTP request is made to the bucket
  • Then the request is denied

Control Mappings

  • CCM: IVS-09, DSI-03

CCC.OS.C2: Prevent object storage data encrypted for impact

Corresponding Feature: CCC-020114 (Encryption at Rest)
NIST CSF: Protect (PR.DS-1)
MITRE ATT&CK TTP: T1486 - Data Encrypted for Impact

Objective

Ensure that data within the object storage bucket is not encrypted with an untrusted Key Management Service (KMS) key, thereby protecting data integrity and preventing unauthorized access.

Tests

CCC.OS.C2.01: Ensure trusted KMS key succeeds

  • Given you own the object storage bucket
  • When a data plane request with a trusted KMS key is made to the object storage bucket
  • Then the request is allowed

CCC.OS.C2.02: Ensure untrusted KMS key fails

  • Given you own the object storage bucket
  • When a data plane request with an untrusted KMS key is made to the object storage bucket
  • Then the request is denied

Control Mappings

  • CCM: DSI-01, DSI-02

CCC.OS.C3: Prevent granting direct public access to object storage bucket

Corresponding Feature: CCC-020116 (Identity Based Access Control)
NIST CSF: Protect (PR.AC-4)
MITRE ATT&CK TTP: T1530 - Data from Cloud Storage Object

Objective

Prevent the object storage bucket from being publicly accessible by controlling and restricting access permissions to only authorized users, thus protecting the data from unauthorized access.

Tests

CCC.OS.C3.01: Ensure privileged requests succeed

  • Given you own the object storage bucket
  • When a request is made from a privileged user
  • Then the request is allowed

CCC.OS.C3.02: Ensure non-privileged requests fail

  • Given you own the object storage bucket
  • When a request is made from a non-privileged user
  • Then the request is denied

Control Mappings

  • CCM: IVS-07, DSI-04

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nas-hub @damienjburks @eddie-knight @rowan-baker - made updates to align to template and added in separate gherkin feature files for two of the controls. The test requirements map to the gherkin features and then within each test requirement/feature there are individual tests/scenarios. There are links between the testing requirement in the catalog and the corresponding feature within the gherkin files. Agree with @damienjburks that we should have the taxonomy features tagged so we can link to those as well.

| CCC.OS.C1 | Prevent unencrypted requests to object storage bucket | GIVEN you own the object storage bucket; WHEN an unencrypted HTTP request is made to the bucket; THEN the request is denied | CCC-020115 | Encryption in Transit | Protect (PR.DS-2) | [T1040 - Network Sniffing](https://attack.mitre.org/techniques/T1040/) | CCM: IVS-09, DSI-03 |
| CCC.OS.C2 | Prevent object storage data encrypted for impact | GIVEN you own the object storage bucket; WHEN a data plane request with an untrusted KMS key is made to the object storage bucket; THEN the request is denied | CCC-020114 | Encryption at Rest | Protect (PR.DS-1) | [T1486 - Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486/) | CCM: DSI-01, DSI-02 |
| CCC.OS.C3 | Prevent the granting of direct public access to the object storage bucket you own | GIVEN you own the object storage bucket; WHEN the access controls on the bucket are updated to grant public access to the bucket; THEN the request is denied | CCC-020116 | Identity Based Access Control | Protect (PR.AC-4) | [T1530 - Data from Cloud Storage Object](https://attack.mitre.org/techniques/T1530/) | CCM: IVS-07, DSI-04 |
| CCC.OS.C4 | Ensure that all access to the object storage bucket is restricted by the outermost data perimeter achievable based on identity, minimizing the risk of unauthorized access and data exfiltration by enforcing strict identity-based access controls at the outermost boundary for the object storage service. | GIVEN you own the object storage bucket; WHEN an identity outside the outermost identity-based data perimeter attempts to access the bucket; THEN access is denied | CCC-020116 | Identity Based Access Control | Protect (PR.AC-1, PR.AC-3) | [T1078 - Valid Accounts](https://attack.mitre.org/techniques/T1078/), [T1531 - Data from Cloud Storage Object](https://attack.mitre.org/techniques/T1531/) | CCM: IAM-01, IAM-02 |
| CCC.OS.C5 | Ensure that all human user access to object storage bucket requires multi-factor authentication (MFA), minimizing the risk of unauthorized access by enforcing strong authentication mechanisms. | GIVEN you own the object storage bucket; WHEN an identity without valid MFA attempts to access the bucket; THEN access is denied | CCC-020116 | Identity Based Access Control | Protect (PR.AC-7) | [T1078 - Valid Accounts](https://attack.mitre.org/techniques/T1078/) | CCM: IAM-03, IAM-08 |
| CCC.OS.C6 | Ensure that all communications with object storage buckets use the latest available TLS version to prevent unauthorized access and data breaches. | GIVEN you own the object storage bucket; WHEN an entity attempts to connect to the object storage bucket with an outdated TLS version; THEN the connection is denied | CCC-020115 | Encryption in Transit | Protect (PR.DS-2) | [T1040 - Network Sniffing](https://attack.mitre.org/techniques/T1040/), [T1071 - Application Layer Protocol](https://attack.mitre.org/techniques/T1071/) | CCM: IVS-09, IVS-10 |
| CCC.OS.C7 | Ensure that data stored in the object storage bucket is immutable for a defined period, preventing unauthorized modifications or deletions and thereby mitigating data destruction. | GIVEN you own the object storage bucket; WHEN an attempt is made to modify objects in the bucket during the defined immutability retention period; THEN the modification is denied | CCC-020112 | Compliance and Governance | Protect (PR.DS-1) | [T1485 - Data Destruction](https://attack.mitre.org/techniques/T1485/), [T1074 - Data Staged](https://attack.mitre.org/techniques/T1074/) | CCM: DSI-05, DSI-07 |
| CCC.OS.C8 | Ensure that all control plane activity on the object storage bucket is logged | GIVEN you own the object storage bucket; WHEN control plane activity occurs on the bucket; THEN the activity is logged | CCC-020118 | Logging | Detect (DE.AE-3) | [T1005 - Data from Local System](https://attack.mitre.org/techniques/T1005/), [T1027 - Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027/) | CCM: DSI-06, STA-04 |
| CCC.OS.C9 | Ensure that all data plane activity on the object storage bucket is logged | GIVEN you own the object storage bucket; WHEN data plane activity occurs on the bucket; THEN the activity is logged | CCC-020118 | Logging | Detect (DE.AE-3) | [T1005 - Data from Local System](https://attack.mitre.org/techniques/T1005/), [T1074 - Data Staged](https://attack.mitre.org/techniques/T1074/) | CCM: DSI-06, STA-04 |
| CCC.OS.C10 | Ensure that multiple versions of objects in the object storage bucket are maintained to mitigate data destruction or encryption for impact | GIVEN you own the object storage bucket; WHEN an object is modified or deleted; THEN a previous version of the object is retained | CCC-020111 | Versioning | Protect (PR.DS-1) | [T1485 - Data Destruction](https://attack.mitre.org/techniques/T1485/), [T1486 - Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486/) | CCM: DSI-05, DSI-07 |