-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Component-level yamls #7
Conversation
SC-13: All traffic from the public internet to the Cloud Controller and UAA happens | ||
over HTTPS and operators configure encryption of the identity store in the UAA | ||
SC-28 (1): Operators configure encryption of the identity store in the UAA. When | ||
users register an account with the Cloud Foundry platform, the UAA, acts as the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I really think we need a hierarchy of "components" - UAA is a component of CF, but most government CF installations actually use the UAA plugin mechanism to connect external IDP systems such as CA Siteminder (because they fulfill all the 800-53 AC controls that way). So I think the "component" that satisfies AC-2 is a sub-component of UAA.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is interesting. I guess I'm wondering how far down the chain we have to go. Do you think that all systems have sub-components that satisfy the controls level?
Like this:
Cloud Foundry > UAA > CA Siteminder (AC-2)
AWS > EC2 > Something else (AC-3)
Or will there be cases where the component itself satisfies one control and the sub-component satisfies another?
Cloud Foundry > UAA (satisfies AC-3, IA-9, etc.) > CA Siteminder (satisfies AC-2)
Started to transform an intermediary spreadsheet to help create the first batch of component-level control documentation.