search

GoogleCloudPlatform / pbmm-on-gcp-onboarding

GCP Canadian Public Sector Landing Zone overlay on top of the TEF via CFT modules - a secure cloud foundation
https://cloud.google.com/architecture/security-foundations
Apache License 2.0
45 stars 56 forks source link

Compliance: ITSG-22 Network Security Zones and ITSG-38 Network Security Zoning - Design Considerations for Placement of Services #161

Closed fmichaelobrien closed 7 months ago

fmichaelobrien commented 2 years ago

We have been focused on ITSG-33 security controls until 202208 - we need to verify our compliance with Network Zoning and ZIPs (Zone Interface Point)

ITSG-22 https://cyber.gc.ca/en/guidance/baseline-security-requirements-network-security-zones-version-20-itsp80022 and https://cyber.gc.ca/sites/default/files/cyber/publications/itsp80022-e.pdf

ITSG-38 Placement of Services with Zones - https://open.canada.ca/data/en/dataset/7ef76a62-bb53-4e9c-b2a4-03e5c53570a1 and https://cyber.gc.ca/en/guidance/network-security-zoning-design-considerations-placement-services-within-zones-itsg-38 SSC 2020 https://wiki.gccollab.ca/images/9/9d/Network_Security_Zoning_Reference_Architecture.pdf

Flows, firewall demarcation, encryption in transit levels l3/l4 (default internal) + l7

Expand on https://cloud.google.com/architecture/landing-zones/decide-network-design#option-2 in https://cloud.google.com/architecture/landing-zones#what-is-a-google-cloud-landing-zone

20220920 Network separation question: We have a couple options to start - 1 - shared VPC (host) - with service subnets - this works best for PaaS workloads (with some sharing - where separation is at the k8s namespace and/or service level) - (aka transit gateway) 2 - workload (non-shared) VPC's peered to the shared perimeter (1 fortigate cluster per gc-cap - with flow separation) 3 - workload (non-shared) VPC's peered to their own perimeter (usually prod/stg/dev fortigate separation but we can expand) - I have only see 2 above though For all 1-3 we can separate using explicit and implicit routing/firewall-rules separation Usually 2-3 are for both free-form sandbox and specific prod workloads (one team does bucket downloads for example) - where the rest of the workloads are ok with sharing the paas in 1

fmichaelobrien commented 2 years ago

see https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/78

fmichaelobrien commented 7 months ago

20240406: Closing issue during retrofit/rebase of this TEF V1 based/modified repo to TEF V4 standards This issue may participate in the LZ refactor after rebase Query on all issues related to the older V1 version via the tag https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/labels/2024-pre-tef-v4