Security_Controls

Controls

• Issue ID label filter - https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues?q=is%3Aissue+is%3Aopen+label%3Asecurity-controls

Controls Coverage

• TODO: add P1 and optionally P2 controls - Use the new "All Products" page for a list of Google Cloud Services https://console.cloud.google.com/products

P1 Controls

140 P1
24 AC-1/2/3/3.7/3.9/3.10/4/4.4/4.12/4.13/4.14/4.15/5/6/6.5/7/8/17/18/18.5/19/19.4/19.100/22
4 AT-1/2/2.2 3
8 AU-1/2/3/4/4.1/6/8/12
8 CA-1 / 2.1 /3/3.2 3.3/3.4/6 7.1 
10 CM-1 2 2.7 3 5 6 7 7.5 8 9 
2 CP-1 9
8 IA-1 2 2.1 3 4 5 5.1 6
2 IR-1 9
3 MA-1 3.2 5.2
9 MP-1 2 3 4 5 5.3 8 8.3 8.4
15 PE-1 2 2.3 2.100 3 4 6 6.2 6.3 6.4 8 16 18 18.1 20
7 PL-1 2 4 7 8 8.1 8.2
9 PS-1 3 3.1 3.2 4 5 6 6.2 7
3 RA-1 2 3
5 SA-1 4.2 4.6 4.7 9
17 SC-1 2 5 7 7.3 7.5 7.9 7.14 8 12.2 12.3 18 23 24 28 43 101
6 SI-1 2 3 4 5 8

• 140 P1 list in italic referenced in https://cyber.gc.ca/sites/default/files/cyber/publications/Annex%20B%20CCCS%20MEDIUM%20Cloud%20Profile%20Recommendations.xlsx replaces older 2021 https://cyber.gc.ca/sites/default/files/cyber/publications/itsg33-ann4a-1-eng.pdf (replaces moved https://cyber.gc.ca/sites/default/files/publications/itsg33-ann4a-1-eng.pdf)
• See P1 list italic diff of 77 in https://cyber.gc.ca/sites/default/files/cyber/publications/itsg33-ann4a-1-eng.pdf

graph LR;
    style GCP fill:#44f,stroke:#f66,stroke-width:2px,color:#fff,stroke-dasharray: 5 5
    %% mapped and documented

    PBMM-->AU-1;
    PBMM-->AU-2;
    PBMM-->AU-3;
    PBMM-->AU-4;
    PBMM-->AU-4.1;
    PBMM-->AU-6;
    PBMM-->AU-8;
    PBMM-->AU-12;
    PBMM-->CM-1;
    PBMM-->CM-2;
    PBMM-->CM-3;
    PBMM-->CM-5;
    PBMM-->CM-6;
    PBMM-->CM-7;
    PBMM-->CM-7.5;
    PBMM-->CM-8;
    PBMM-->CM-9;
    PBMM-->CP-1;
    PBMM-->IR-1;
    PBMM-->IR-9;
    PBMM-->MA-1;
    PBMM-->MA-3.3;
    PBMM-->MP-2;
    PBMM-->PE-3;
    PBMM-->PE-19;
    PBMM-->RA-1;
    PBMM-->RA-2;
    PBMM-->RA-3;
    %% subset edit point above

    
    %% mapped but not yet documented
    unmapped-->AC-2.1/5/6.5/6.10/7/19;
    unmapped-->AU-3.2/4/9.4;
    unmapped-->CM-3/4/5/8;
    unmapped-->CP-7;
    unmapped-->IA-4/5.1/5.7/5.13/6/8;
    unmapped-->SA-22;
    unmapped-->SC-5/7.7/8/8.1/12/17;
    
    %% control to sub-service
    AC-2-->bucket-not-public;
    AC-2-->enforce-public-access-prevention;
    AC-2-->restrict-public-IP-access-sql;
    AC-2-->Roles;
    AC-2-->Identity-Federation;
    AC-3-->Roles;
    AC-4-->IDS;
    AC-4-->VFW;
    AC-4-->Asset-Inventory;
    AC-6-->Roles;
    AC-12-->Pre-Signed-URLs;
    AC-17.1-->IAP;
    AC-20.3-->BeyondCorp-CAA;
    AU-2-->Monitoring;
    AU-2-->Identity;
    AU-2-->Password-Policies;
    AU-2-->Audit-and-Investigation;
    AU-2-->Apps-Reports-Accounts;
    AU-2-->Alert-Policy;
    AU-2-->Logs-Explorer;
    AU-2-->Logs-Router;
    AU-2-->bucket-not-public;
    AU-2-->bucket-protection-retention-1-sec;
    AU-3-->Monitoring;
    AU-3-->Alert-Policy;
    AU-3-->Logs-Explorer;
    AU-3-->Logs-Router;
    AU-6-->bucket-protection-retention-1-sec;
    AU-6-->Monitoring;
    AU-6-->Alert-Policy;
    AU-6-->Logs-Explorer;
    AU-6-->Logs-Router;
    AU-13-->DLP;
    AU-13-->bucket-not-public;
    AU-13-->Monitoring;
    AU-13-->Alert-Policy;
    AU-13-->Logs-Explorer;
    AU-13-->Logs-Router;
    AU-8-->Event-Logging;
    
    %% post-Terraform
    post-TF-console-->SC-7-->Location-Restriction;
    
    %% requires Traffic Generation app
    AU-12== traffic gen ==>VPC-Flow-Logs;
    AU-12== traffic gen ==>SCC-Findings;
    AU-12-->SCC-Compliance;
    
    AU-9-->Non-Public-->Cloud-Storage;
    AU-9-->Protection-Retention-->Cloud-Storage;
    AT-3-->Certification-Training;
    CA-3-->IAP;
    CA-3-->Cloud-Deploy;
    CA-3-->Deployment-Manager;
    CA-3-->Private-Access;
    CM-2-->Marketplace-Role-restriction;
    IA-2-->Identity-Federation;
    IA-2-->IAP;
    IA-2.1-->Roles;
    IA-2.1-->Identity-Federation;
    IA-2.2-->Identity-Federation;
    IA-2.1-->IAP;
    IA-2.1-->Roles;
    IA-2.2-->Roles;
    IA-5-->IAP;
    IA-5-->Roles;
    IA-5-->2FA;
    IR-6-->Alert-Policy;
    IR-6-->Logs-Explorer;
    IR-6-->Logs-Router;
    IR-6-->bucket-not-public;
    IR-6-->bucket-protection-retention-1-sec
    MP-2-->DLP;
    MP-2-->Data-Center-Security;
    PE-3-->Data-Center-Security;
    PE-19-->Data-Center-Security;
    
    
    RA-5-->SCC-Vulnerabilities;
    RA-5-->Vulnerability-Scanning;
    SA-4-->SCC-Vulnerabilities;
    SA-4-->Vulnerability-Scanning;
    SA-8-->Encryption-at-rest;
    SA-8-->Encryption-in-transit;
    SC-7-->Resource-Location-Restriction;
    SC-7== traffic gen ==>VPC-Firewall-Logs;
    SC-7-->IDS;
    SC-7== traffic gen ==>VPC-Firewall-Rules;
    SC-7.3== traffic gen ==>VPC-Firewall-Logs;
    SC-7.5== traffic gen ==>VPC-Firewall-Logs;
    
    SC-8-->Encryption-at-rest;
    SC-8-->Encryption-in-transit;
    SC-13-->Encryption-at-rest;
    SC-13-->Encryption-in-transit;
    SC-13-->bucket-not-public;
    SC-13-->bucket-protection-retention-1-sec
    SC-26-->SCC-Container-Threat-Detection;
    SC-26-->Armor;
    SC-28.1-->Encryption-at-rest;
    SC-28-->Encryption-at-rest;
    SC-101-->Data-Center-Security;
    SI-2-->Armor;
    SI-3-->Vulnerability-Scanning;
    SI-3-->SCC-Vulnerabilities;
    SI-4== traffic gen ==>Compute-VM;
    SI-4-->Armor;
    SI-4-->VM-logging-agent-logs;
    
    %% sub-service to service
    

    
    2FA-->Identity;
    Alert-Policy-->Cloud-Logging;
    Apps-Reports-Accounts-->Reporting;
    Reporting-->Identity;
    Asset-Inventory-->IAM;
    Armor-->Network-Security;
    Audit-and-Investigation-->Identity;
    bucket-not-public-->Org-Policies;
    bucket-protection-retention-1-sec-->Org-Policies;
    enforce-public-access-prevention-->Org-Policies;
    restrict-public-IP-access-sql-->Org-Policies;
    BeyondCorp-CAA-->Security;
    Certification-Training-->Training;
    Cloud-Identity-->Google-Admin;
    Compute-VM-->Cloud-Logging;
    Data-Center-Security-->Security;
    Cloud-Deploy-->GCP;
    Deployment-Manager-->GCP;
    DLP-->Security;
    Encryption-in-transit-->Security;
    Encryption-at-rest-->Security;
    Event-Logging-->Cloud-Operations-Suite;
    IAP-->Security;
    Identity-Federation-->IAM;
    IDS-->Network-Security;
    Location-Restriction-->Org-Policies;
    Logs-Explorer-->Cloud-Logging;
    Logs-Router-->Cloud-Logging;
    Marketplace-Role-restriction-->Marketplace
    MFA-->Cloud-Identity;
    Monitoring-->GCP;
    Org-Policies-->IAM;
    Password-Policies-->Identity;
    Pre-Signed-URLs-->Cloud-Storage;
    Private-Access-->VPC-Networks;
    Resource-Location-Restriction-->Org-Policies;
    Roles-->IAM;
    SCC-Findings-->SCC;
    SCC-Compliance-->SCC;
    SCC-Container-Threat-Detection-->SCC;
    SCC-Vulnerabilities-->SCC;
    VM-logging-agent-logs-->Cloud-Logging;
    VFW-->VPC-Networks;
    VPC-Flow-Logs-->VPC-Networks;
    VPC-Firewall-Rules-->VPC-Networks;
    VPC-Firewall-Logs-->VPC-Networks;
    Vulnerability-Scanning-->Artifact-Registry;
    
    
    %% service to gcp
    Artifact-Registry-->GCP;
    Cloud-Operations-Suite-->GCP;
    Cloud-Logging-->GCP;
    Cloud-Storage-->GCP;

    Identity-->Admin;
    IAM-->GCP;
    Marketplace-->GCP;
    Network-Security-->GCP;
    SCC-->GCP;
    Security-->GCP;
    Training-->GCP;
    VPC-Networks-->GCP{GCP};

   %%PBHH
    PBHH-->AU-3.2
    PBHH-->IA-2.2
    

Loading

mermaid - diagrams as code

Security Controls List

Rev: 20231114

• ITSG 33 : Security Control Catalogue : https://www.cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33

• AU-1 - family: audit and accountability - class: technical - AU-1 : audit and accountability policy and procedures

• AU-2 - family: audit and accountability - class: technical - AU-2 : auditable events

• AU-3 - family: audit and accountability - class: technical - AU-3 : content of audit records

• AU-4 - family: audit and accountability - class: technical - AU-4 : audit storage capacity

• AU-4(1) - family: audit and accountability - class: technical - AU-4.1 : audit storage capacity | transfer to alternate storage

• AU-6 - family: audit and accountability - class: technical - AU-6 : audit review, analysis, and reporting

• AU-8 - family: audit and accountability - class: technical - AU-8 : time stamps

• AU-12 - family: audit and accountability - class: technical - AU-12 : audit generation

• CM-1 - family: configuration management - class: operational - CM-1: configuration management policy and procedures

• CM-2 - family: configuration management - class: operational - CM-2: baseline configuration

• CM-3 - family: configuration management - class: operational - CM-3: configuration change control

• CM-5 - family: configuration management - class: operational - CM-5: access restrictions for change

• CM-6 - family: configuration management - class: operational - CM-6: configuration settings

• CM-7 - family: configuration management - class: operational - CM-7: least functionality

• CM-7(5) - family: configuration management - class: operational - CM-7.5: least functionality | authorized software / whitelisting

• CM-8 - family: configuration management - class: operational - CM-8: information system component inventory

• CM-9 - family: configuration management - class: operational - CM-9: configuration management plan

• CP-1 - family: contingency planning (continuity planning) - class: operational - CP-1 : contingency planning policy and procedures

• IR-1 - family: incident response - class: operational - IR-1 incident response policy and procedures

• IR-9 - family: incident response - class: operational - IR-9 : information spillage response

• MA-1 - family: maintenance - class: operational - MA-1 : system maintenance policy and procedures

• MA-3(3) - family: maintenance - class: operational - MA-3 : maintenance tools | prevent unauthorized removal

• RA-1 - family: risk assessment - class: management - RA-1 : risk assessment policy and procedures

• RA-2 - family: risk assessment - class: management - RA-2 : security categorization

• RA-3 - family: risk assessment - class: management - RA-3 : risk assessment

Security Controls to Code Mappings

Security Controls to GCP Services Mappings

History

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/560

20231027

Check removed files

 delete mode 100644 solutions/client-landing-zone/client-folder/standard/applications-infrastructure/host-project/securitycontrols.md
 delete mode 100644 solutions/client-landing-zone/logging-project/securitycontrols.md
 delete mode 100644 solutions/core-landing-zone/lz-folder/audits/logging-project/securitycontrols.md

Todo

Example visuals for extract and/or live compliance dashboard

• d3js.org based or mermaid in-line-repo markup (generated) in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/Security_Controls

• https://observablehq.com/@kerryrodden/sequences-sunburst

• https://d3js.org/

• https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-security-controls.md#controls-coverage

• https://mermaid.js.org/#/flowchart?id=graph

• see https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-security-controls.md

Links

• https://cloud.google.com/security/compliance/fedramp
• detailed ITSG-33 (2014) https://cyber.gc.ca/en/guidance/annex-2-information-system-security-risk-management-activities-itsg-33
• summary ITSG-33 https://cyber.gc.ca/en/guidance/annex-4-identification-control-elements-security-controls-itsg-41
• AU-2 AU-3 AU-4 AU-5 AU-16 via cloud logging fedramp compliance https://cloud.google.com/blog/products/identity-security/5-must-know-security-and-compliance-features-in-cloud-logging
• COM https://ssc-clouddocs.canada.ca/s/com?language=en_US
• https://cloud-services-infonuagiques.canada.ca/