#compliance (2023-06)
| Discuss topics related to compliance. See also <#CBXSAR45B | security>. |
2023-06-01
@Erik Osterman (Cloud Posse) has joined the channel
@Ozzy Aluyi has joined the channel
@matt has joined the channel
@Jonathan Eunice has joined the channel
Yesterday’s discussion on FedRAMP, compliance != security, and related topics was excellent. Good to know I’m not struggling with these things alone.
1
Little background on us: 3Play Media Inc. takes in audio and video and processes it with combination of AI (really, ML, but who’s counting when “AI” is the hot hype word) and human review/correction to produce captions, subtitles, transcripts, audio descriptions, and other accessibility enhancements. We are Cloud Posse graduates (i.e. now in production). Our cloud product, the 3Play Platform, passes SOC 2 and GAAS audits and pentest on our EKS infrastructure/estate. Another part of 3Play passes separate TPN (Motion Picture Association) audit more oriented to on-prem processing model. We are also HIPAA, GDPR, CCPA/CPRA, FERPA, and Microsoft SSPA compliant (but we don’t formally audit against those). We’re consistently looking to harden and lock down (partly for security, partly to meet ever-rising, ever-encroaching customer demands esp. from media, entertainment, finance, and government customers/prospects). Currently using OneTrust Certification Automation (great for past 2 years, but seems to have stalled after Tugboat was acquired). Looking to upgrade program to better align with NIST SP 800-53 and friends and/or ISO 27001 (in addition to SOC 2 and TPN). We’ve talked about doing FedRAMP and have been requested to meet several crazy-deep custom finance infosec/GRC frameworks. They feel above our current station/capabilities, but we’re edging that direction to prepare for a future deal for which the business says “okay, it’s now worth it to comply, get going!”
@Hao Wang has joined the channel
@Sean has joined the channel
@Jim Conner has joined the channel
Thanks for starting the channel. I’m required to meet nearly all the compliance/authorization types. (ISOs,SOCs,PCI,HiTrust,FedRAMP, …).
yeah, we do fedramp and ISO – and one more iirc
I’m curious about how you folks, if you use RDBMS, manage the credential rotation requirements –
Depends what your auditor ends up requiring. The FedRAMP NIST controls don’t give, from what I recall, an exact rotation period.
It’s annoying that AWS don’t offer an RDS IAM Sidecar Proxy:
• That would eliminate cred management.
• This is another area where GCP are MILES AHEAD. ◦ They suggest you don’t use passwords, instead user their IAM proxy.
We’ve been contemplating building the equivalent for RDS and AWS IAM. Built a basic Go version a few years ago but never took it further.
Even have an issue raised by a friend: https://github.com/aws/containers-roadmap/issues/1508
Please add upvotes there to help with getting attention.
This would eliminate the need for RDS passwords. No rotation! No secret storage! No distributing! …
Or this approach, which I’ve been considering:
• cron job that gets new cred from IAM every 10 minutes and feeds it to pgBouncer (or the mysql equivalent) that’s running in a sidecar: https://sreeraj.dev/sidecar-containers/
hmm…I’m not sure what you’re talking about as far as an RDS IAM sidecar proxy…but I’m guessing what you’re talking about is db users existing in IAM and the sidecar somehow injecting credentials into RDS?
it’s java
forget that noise
we don’t have any users in IAM as we are 100% SSO for everything…so something like that probably wouldn’t be useful to us unless we broke our paradigm – we have a different set of methods for auth and I’m writing an operator which performs syncing between our vault storage and the databases which automatically rotates secrets every n days.
We don’t have users either. 100% SAML to AWS.
We have policies in place that block the ability to create IAM Users.
Talking about services here. Not people. For that, IRSA is the standard: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
between our vault storage and the database
Yeah. There are sidecars, like what I described for AWS IAM, that rotate from Vault automatically.
actually, vault doesn’t need a sidecar to rotate….however, in the way our environment works, vault’s native rotation will not work for us.
@Jeff May has joined the channel
@Fizz has joined the channel
@James has joined the channel
2023-06-02
@Justin Erny has joined the channel
2023-06-03
@Tom Atwood has joined the channel
@Allan Swanepoel has joined the channel
2023-06-05
Another Security/Compliance tool to consider. Early version of it. Goal is to audit clusters against the “EKS Best Practices Guide (EBPG)“: https://aws.amazon.com/blogs/containers/hardeneks-validating-best-practices-for-amazon-eks-clusters-programmatically/
2023-06-15
@Hans D has joined the channel
@Soren Jensen has joined the channel
2023-06-20
@Sam has joined the channel
2023-06-28
@Nate G. has joined the channel
2023-06-29
@Marcin has joined the channel
2023-06-30
(Continuing SIEM discussion from office-hours) Another great tool for SIEM related activities is Falco. https://falco.org/ https://github.com/falcosecurity/falco
It came from SysDig and is CNCF Incubation.
https://sweetops.slack.com/archives/CHDR1EWNA/p1687980845340909
