Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add in new object storage controls on encryption for impact and replication to untrusted destinations #305

Merged
merged 2 commits into from
Aug 29, 2024
Merged

Add in new object storage controls on encryption for impact and replication to untrusted destinations #305

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d3b1db7
Add in new object storage controls on encryption for impact and repli…
mlysaght2017 Aug 8, 2024
8f58cbc
Add in extra detail on untrusted resources and destinations
mlysaght2017 Aug 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions services/storage/object/controls.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@
| CCC.OS.C5 | CCC-020118 | Log all access and changes to object storage bucket |
| CCC.OS.C6 | CCC-020118 | Prevent access to object storage from trusted cloud tenants and cloud services |
| CCC.OS.C7 | CCC-020118 | Prevent deploying object storage in restricted regions |
| CCC.OS.C8 | CCC-020114 | Prevent requests to object storage that use untrusted encryption keys |
| CCC.OS.C9 | CCC-020106 | Prevent object storage replication of data to untrusted destinations |

---

Expand Down Expand Up @@ -181,3 +183,47 @@ The following validations must be performed against corresponding Control Implem
1. **CCC.OS.C7.TR.01** {#CCC.OS.C7.TR.01}: Verify that object storage are not deployed in any of the restricted regions and zones.
2. **CCC.OS.C7.TR.02** {#CCC.OS.C7.TR.02}: Verify that object storage cannot be deployed in any of the restricted regions and zones.
3. **CCC.OS.C7.TR.03** {#CCC.OS.C7.TR.03}: Verify that object storage cannot be backedup or copied to any of the restriced regions and zones.

## CCC.OS.C8: Prevent Requests to Object Storage Buckets or Objects with Untrusted KMS Keys

- Corresponding Feature: CCC-020116 (Access Control)
- NIST CSF: Protect (PR.DS-4)
- MITRE ATT&CK TTP: T1486 - Data Encrypted for Impact

### Objective

Prevent any requests to object storage buckets or objects using untrusted KMS keys to protect against unauthorized data encryption that can impact data availability and integrity.

### Control Mappings

- CCM: DSI-04, DSI-05
- ISO/IEC 27001:2013 A.12.3.1
- NIST SP 800-53: CP-6, CP-9

### Testing Requirements

The following validations must be performed against corresponding Control Implementation capabilities to ensure the Control Objective is thoroughly assessed:

1. [**CCC.OS.C8.TR01**]{#CCC.OS.C8.TR.01}: Verify that access policies for cloud storage buckets and objects prevent requests with untrusted KMS keys. In this case, an untrusted KMS key is one that is not specified as trusted by the cloud storage bucket owner.

## CCC.OS.C9: Prevent Replication to Untrusted Destinations
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How can we define Untrusted destinations: Will this be a list of Services, list of geographies, list of thirdparties etc. If it is geographies then there is a scope to merge this with C7, where in we can expand C7 to include backups to be also blocked in restricted regions and zones.

We need to define "Untrusted Destinations"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thinking here is that untrusted destinations (resources) are any that exist outside of a defined identity/network perimeter (e.g.) at the organization level. E.g. if targeted destination/resource is not within a member project/account/subscription within the org, then deny.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it, we may need to have a glossary of terms we use in CCC and define its scope. Or probably just qualify the untrusted destination further contracting it with Trusted Identity Perimeter, Truster Network Perimeter similar to the term Trusted Computing Base defined in NIST/ISC2.

The control and testing requirement LGTM


- Corresponding Feature: CCC-020106 (Availability)
- NIST CSF: Protect (PR.DS-4)
- MITRE ATT&CK TTP: T1537 - Transfer Data to Cloud Account

### Objective

Prevent object storage replication feature from replicating data to untrusted destinations. In this case, an untrusted destination is a resource that exists outside of a specified trusted identity or network perimeter (i.e. a data perimeter).

### Control Mappings

- CCM: DSI-04, DSI-05
- ISO/IEC 27001:2013 A.12.3.1
- NIST SP 800-53: CP-6, CP-9

### Testing Requirements

The following validations must be performed against corresponding Control Implementation capabilities to ensure the Control Objective is thoroughly assessed:

1. [**CCC.OS.C9.TR01**]{#CCC.OS.C9.TR.01}: Verify that object storage replication configurations are prevented from replicating to untrusted destinations.
Loading