jgb1128
commented
6 months ago @tstodart to review. Thank you for your comment/suggestion @sckgh I will contact you with information about joining our TC.
Open sckgh opened 6 months ago
jgb1128
commented
6 months ago @tstodart to review. Thank you for your comment/suggestion @sckgh I will contact you with information about joining our TC.
tstodart
commented
6 months ago At the level of the TOE guidance, we could add your suggestions on automation and deployment templates. However, it would probably be at the level of 'this is a good this to have' since during our call there was a feeling that it would not be easy to make this an evaluation requirement - how would the evaluator judge whether the deployment was 'sufficiently' automated?
Regarding the SPD additions, this is not at the level of the TOE but satisfied by the Trusted Platform. The mapping to CSA CCM AIS-06 was helpful, but this doesn't appear to map well to cloud authorisation schemes/mappings that we have focussed on (e.g. Fedramp or the Cisco Cloud Controls Framework mapping) that need to demonstrate that these SPD elements are considered.
jgb1128
commented
6 months ago Recommend consider for future, to confirm with team at next meeting
jgb1128
commented
1 month ago @kenhake please add your comment.
kenhake
commented
1 month ago If we consider the SPD additions above, we might also consider adding measures to ensure the integrity of the TOE to be tested with the same justification: CSA CCM AIS-06.
Deployment validation: Use of scripting tools to validate that the configuration is and remains as specified and as implemented by the deployment automatic tools in order to verify that testing is being performed on the correct TOE configuration.
jgb1128
commented
1 month ago Good idea @kenhake let's discuss on the next call.
jgb1128
commented
3 weeks ago Still open, still being discussed. Revisit after people think about this some more. Issues being discussed include does being a Trusted Platform provide coverage for these requirements? Does the CC already cover this? Does the CSA map to FedRamp for these requirements? Still being researched.
"The PP author’s focus should be to ensure that guidance developers understand the need for the guidance to instruct users on how to replicate the evaluated configuration to the greatest extent possible." Should additional comment be provided recommending use of deployment templates (e.g: Helm charts, cloud formation, Terraform) to ensure CC compliant builds of PaaS and/or self-hosted SaaS?
SPD additions A.DEPLOYMENT_AUTOMATION - Developers utilise automation scripts in preparative procedures to ensure that cloud environment are replicated as closely as possible to the TOE. OE.DEPLOYMENT_AUTOMATION - Use of deployment automation tools in the preparation of the TOE reduces the risk of misconfiguration and allows for standardised builds of compliant systems.
Justification: CSA CCM -- AIS-06 -- Establish and implement strategies and capabilities for secure, standardized, and compliant application deployment. Automate where possible.