Sample Custom Mod Dunder Mifflin (DMI) Control Framework - luisffc/tdk GitHub Wiki

The following was implemented at https://github.com/luisffc/tdk/tree/274-gnb

Overview

Dunder Mifflin Paper Company, Inc. (DMI) is a fictional paper sales company featured in the American television series The Office.

DMI defines its own compliance framework to ensure security and regulatory compliance. This compliance framework provides a set of prescriptive controls for network and data security, user authentication and authorization, and monitoring.

While Turbot provides capabilities to meet most of DMI's control objectives, DMI would like to be able to search, filter, and report on compliance to their specific controls using the Turbot console. DMI employees are already aware of the DMI framework, and they communicate using the terms and definitions defined there.

To meet this requirement, DMI has decided to write a Turbot custom mod. This mod will leverage existing Turbot resources and CMDB data but will present the data in the native structure of the DMI Control Framework. Note that automated remediation ("enforce") is out of scope - these controls will be "check" mode only (existing Turbot controls can be used to remediate the items if desired, however)

DMI Compliance and Control Framework

The Dunder Mifflin Compliance and Control Framework (DMI CCF) is composed of a set of generalized controls, with separate implementations (benchmarks) that provide specific technical implementations for each technology platform.

The DMI Control Framework is composed of the following control categories (The sections are common to all platforms):

  1. Authentication & Access Control
  2. Data Security & Encryption
  3. Network Security
  4. Logging & Auditing
  5. Data Protection & Business Continuity

The DMI AWS Benchmark provides implementation requirements specific to AWS. The AWS Benchmark is divided into sections per AWS service.

  1. IAM
  2. S3
  3. CloudTrail
  4. RDS

Each section contains multiple numbered control items. Each of these control items maps back to a control category in the control framework.

Benchmark Item Control Category
AWS.IAM.001 - Password policy meets complexity requirements Authentication & Access Control
AWS.IAM.002 - Require MFA for console users Authentication & Access Control
AWS.S3.001 - Set Default Encryption on S3 Buckets Data Security & Encryption
AWS.S3.002 - Enable Versioning on S3 Buckets Data Protection & Business Continuity
AWS.VPC.001 - Disallow access to management ports from 0.0.0.0/0 Network Security
AWS.CloudTrail.001 - Enable Cloudtrail in All Regions Logging & Auditing
AWS.RDS.001 - Enable RDS Backups with standard DB retention Data Protection & Business Continuity

Guidelines

Each control will target the most specific resource for its purpose: For example, a control targeting user information will target users. A control targeting security group rule details will target the security group.

All Custom Reporting Framework controls are based on information in the CMDB. They must work when Turbot is limited to read only credentials for the provider.

Custom reporting framework policies will NOT have any "enforce" values:

  • Turbot already has policies that would overlap with many of the DMI control enforcements
  • Enforcement is complex in practice, and doesn't map in a neat on-to-one pattern between reporting control and Turbot controls. For a given item, there may be many possible ways to enforce the configuration in Turbot, and this may involve the interaction of multiple Turbot policies
  • Many control frameworks have common requirements, and implementing enforcement in all the reporting frameworks would be redundant

Control/Policy Type Hierarchy

The control and policy type hierarchies will map each Turbot policy and control to a DMI Control item.

The DMI benchmark item IDs follow a consistent structure: {provider}.{control section}.{id number} - for example: AWS.IAM.001. The Turbot type hierarchy will mirror DMI's benchmark structure:

  • The top-level type will be Dunder Mifflin
  • The next level will be the provider abbreviation
  • The next level will be the DMI Benchmark Section that the item belongs to:
    • Dunder Mifflin > AWS > IAM
    • Dunder Mifflin > AWS > S3
    • Dunder Mifflin > AWS > VPC
    • Dunder Mifflin > AWS > CloudTrail
    • Dunder Mifflin > AWS > RDS
  • The next level will be the individual control item. As in CIS, this will contain the full control ID as well as the title. For example:
    • DMI Control Item: AWS.IAM.001 - Password policy meets complexity requirements will have policies and controls: Dunder Mifflin > AWS > IAM > AWS.IAM.001 - Password policy meets complexity requirements

Control Categories

Categories provide an alternate, vendor agnostic view of controls and policies. The DMI category will align with the Control Framework Categories, providing a view of all the controls and policies for all cloud providers - When DMI adds Azure and GCP controls to their framework, they will map to these same categories. The categories map each Turbot policy and control to a DMI Control Section.

  • The top-level type will be Dunder Mifflin

  • The next level will be the DMI Control Section name that the item belongs to:

    • Dunder Mifflin > 1. Authentication & Access Control
    • Dunder Mifflin > 2. Data Security & Encryption
    • Dunder Mifflin > 3. Network Security
    • Dunder Mifflin > 4. Logging & Auditing
    • Dunder Mifflin > 5. Data Protection & Business Continuity

  • The DMI categories (as well as the root Dunder Mifflin policy type) should be implemented in a separate dmi-ccf mod so that they can be shared by ALL benchmarks (dmi-ccf-aws, dmi-ccf-azure, etc). This mod must be installed first.

  • Each benchmark will map to a control category:

Type Category
Dunder Mifflin > AWS > IAM > AWS.IAM.001 - Password policy meets complexity requirements Dunder Mifflin > Authentication & Access Control
Dunder Mifflin > AWS > IAM > AWS.IAM.002 - Require MFA for console users Dunder Mifflin > Authentication & Access Control
Dunder Mifflin > AWS > S3 > AWS.S3.001 - Set Default Encryption on S3 Buckets Dunder Mifflin > Data Security & Encryption
Dunder Mifflin > AWS > S3 > AWS.S3.002 - Enable Versioning on S3 Buckets Dunder Mifflin > Data Protection & Business Continuity
Dunder Mifflin > AWS > VPC > AWS.VPC.001 - Disallow access to management ports from 0.0.0.0/0 Dunder Mifflin > Network Security
Dunder Mifflin > AWS > CloudTrail > AWS.CloudTrail.001 - Enable Cloudtrail in All Regions Dunder Mifflin > Logging & Auditing
Dunder Mifflin > AWS > RDS > AWS.RDS.001 - Enable RDS Backups with standard DB retention Dunder Mifflin > Data Protection & Business Continuity

Policies

Report level policies

To provide a simple default mechanism for controlling which level of reporting to use, and to enable all controls, we will provide a master report-level policy.

The (resource specific) sub-policies will then refer to this policy in their set of values (Dunder Mifflin > AWS for example)

This value should be the default for all control within the report.

The report level will be set to skip by default.

Dunder Mifflin > AWS
  description: 
    Configures a default auditing level against the DMI Controls Framework for AWS.

  target: GCP Project
  schema: 
    type: String
    enum:
      - Skip
      - Check
    default: Skip

Sub-Section level policies

Sub-Section levels will be empty policy types, used for organization only. There will be no settable policies at the control section or provider levels. For example, the following will NOT have policy settings or values:

  • Dunder Mifflin > AWS > IAM
  • Dunder Mifflin > AWS > S3
  • Dunder Mifflin > AWS > VPC
  • Dunder Mifflin > AWS > CloudTrail
  • Dunder Mifflin > AWS > RDS

Resource level policies/controls

Custom Control Framework controls will be implemented as sub-policies. They can be enabled (in Check mode) or skipped individually, but by default will use the top-level report policy to determine whether to run.

Dunder Mifflin > AWS > IAM > AWS.IAM.001 - Password policy meets complexity requirements**
  description: |
    Configures auditing against a DMI Control Framework Control item.
    
    Ensure AWS Password Policy meets minimum GN Standards:
        - at least 14 characters
        - at least one uppercase
        - at least one lowercase
        - at least one number
        - at least one special character
        

  targets:
    - AWS > IAM > Account Password Policy
  schema: 
    type: String
    enum:
      - Skip
      - Check
      - Per Dunder Mifflin > AWS
    default:  Per Dunder Mifflin > AWS

These controls may in turn have sub-policies if more configuration data is needed.

See also About Dunder Mifflin Paper Company, Inc. .