canada-ca / cloud-guardrails

Minimum guardrails for GC's cloud operationalization framework.
https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32787
MIT License
92 stars 33 forks source link

Cloud Guardrail for Sandbox environment not clear #96

Open PatrickMessierGoC opened 2 years ago

PatrickMessierGoC commented 2 years ago

Problem to solve

We are trying to understand the "segment & separate" requirement for "Experimentation/Sandbox" (profile 1) environment. We find the statement "Required (network filtering at a minimum)" is vague and open to interpretation.

Intended users

Departmental teams mendated to implement Cloud Guardrails.

Further details

Development teams request public cloud environment to implement DevOps workflows whereas IT Security teams often claim that, based on the "segment & separate" requirement, development environments must be behind firewall, thus be somewhat private, even if "Experimentation/Sandbox" environments is used.

Proposal

Can you please elaborate on what is truly expected from this expression and add those clarification to the table here. For example, would IP filtering on resources be enough for trully development enviroment?

Permissions and Security

N/A

What does success look like, and how can we measure that?

Links / references

N/A

fmichaelobrien commented 2 years ago

Patrick, Thanks for the question - very good point - I have run into this myself gathering compliance evidence - yes GR 8 at the profile 1 level https://github.com/canada-ca/cloud-guardrails/blob/master/EN/00_Applicable-Scope.md usually involves the default VPC (non-shared at this point) with default ingress/egress FW rules, no policies, no org policies on public IP restriction. However it is recommended to have GR 5 - regional restriction to the 2 regions in Canada - this will force VPC creation to limit to these 2 regions and provide for minimal segmentation.

Ideally a network diagram like the following would help but not required.

As a work item over the next couple days I will add a PR to adjust the scope of the GR8 ask in terms of detailing "Network Filtering" - which implies either a cloud native DDoS, Firewall, AV, WAF, IPS/IDS packet inspection set of services or NGFW appliance like Fortigate - or VPC network separation - which is - I think the intention of "Network filtering". In this case VPC separation via routes, FW rules at the VPC or tag level for IaaS VMs in the VPC) - all of which in the case of most CSPs including GCP are part of a default VPC (as long as regional restriction policy is in place)

Security Control https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-security-controls.md#iam---organization-policies---resource-location-restriction

Code:

Guardrails

Kubernetes Config Controller Landing Zone

PatrickMessierGoC commented 2 years ago

@fmichaelobrien Thanks for your quick reply. Any ETA for the documentation updates?