Component-level yamls #7
Conversation
| SC-13: All traffic from the public internet to the Cloud Controller and UAA happens | ||
| over HTTPS and operators configure encryption of the identity store in the UAA | ||
| SC-28 (1): Operators configure encryption of the identity store in the UAA. When | ||
| users register an account with the Cloud Foundry platform, the UAA, acts as the |
There was a problem hiding this comment.
I really think we need a hierarchy of "components" - UAA is a component of CF, but most government CF installations actually use the UAA plugin mechanism to connect external IDP systems such as CA Siteminder (because they fulfill all the 800-53 AC controls that way). So I think the "component" that satisfies AC-2 is a sub-component of UAA.
There was a problem hiding this comment.
This is interesting. I guess I'm wondering how far down the chain we have to go. Do you think that all systems have sub-components that satisfy the controls level?
Like this:
Cloud Foundry > UAA > CA Siteminder (AC-2)
AWS > EC2 > Something else (AC-3)
Or will there be cases where the component itself satisfies one control and the sub-component satisfies another?
Cloud Foundry > UAA (satisfies AC-3, IA-9, etc.) > CA Siteminder (satisfies AC-2)
Started to transform an intermediary spreadsheet to help create the first batch of component-level control documentation.