Write a security outline doc

[kalbir]

Background

We want to lay out our approach on key security aspects of the platform so that we can share with the security teams and get their input on areas that we want to prioritise.

Approach

@kalbir and @alkar to write a document that outlines what we are doing about:

• access control
• authentication
• secrets
• encryption in transit
• application isolation
• logging/audit

and other topics so that we have something to walk through with the security teams.

Questions / Assumptions

Definition of done

• [ ] There is a document that covers the above topics
• [ ] There are some diagrams
• [ ] It addresses the case of running the laa-fee-calculator app

Reference

How to write good user stories

[sid-secops]

Standardized Architecture for UK-OFFICIAL in the AWS Cloud: Quick Start Reference Deployment - https://aws.amazon.com/about-aws/whats-new/2017/01/standardized-architecture-for-uk-official-in-the-aws-cloud-quick-start-reference-deployment/

Cloud Security Principles Controls Matrix - Cloud-Security-Principles-UK-Controls-Mapping.xlsx

PCI-DSS Controls matrix - https://aws.amazon.com/quickstart/architecture/compliance-pci/ PCI-DSS-Security-Controls-Mapping.xlsx