`<< Back <../../openstack>`__ .. _2-architecture-requirements: 2. Architecture Requirements ============================ .. raw:: html
Table 2-1a: Reference Model Requirements: Cloud Infrastructure Software Profile Capabilities
.. **1** Defined in the ``.bronze`` configuration in `RM section 4.2.6 Storage Extensions <../../../ref_model/chapters/chapter04.md#4.2.6>`__\ .. _2211-cloud-infrastructure-software-profile-extensions-requirements-for-compute: 2.2.1.1 Cloud Infrastructure Software Profile Extensions Requirements for Compute ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------+-------------+-------------+-------------+-------------+ | Reference | Description | Profile | Profile | Sp | | | | Extensions | Extra-Specs | ecification | | | | | | Reference | +=============+=============+=============+=============+=============+ | e.cap.008/ | IPSec | Compute | | | | infra.com. | A | Intensive | | | | acc.cfg.001 | cceleration | GPU | | | | | using the | | | | | | v | | | | | | irtio-ipsec | | | | | | interface | | | | +-------------+-------------+-------------+-------------+-------------+ | e.cap.010/ | Transcoding | Compute | Video | | | infra.com. | A | Intensive | Transcoding | | | acc.cfg.002 | cceleration | GPU | | | +-------------+-------------+-------------+-------------+-------------+ | e.cap.011/ | P | Firmware-p | Accelerator | | | infra.com. | rogrammable | rogrammable | | | | acc.cfg.003 | A | adapter | | | | | cceleration | | | | +-------------+-------------+-------------+-------------+-------------+ | e.cap.012 | Enhanced | E | E | | | | Cache | | | | | | Management: | | | | | | L=Lean; | | | | | | E=Equal; | | | | | | X=eXpanded | | | | +-------------+-------------+-------------+-------------+-------------+ | e.cap.014/ | Hardware | Compute | | | | infra.com. | coprocessor | Intensive | | | | acc.cfg.004 | support | GPU | | | | | (GPU/NPU) | | | | +-------------+-------------+-------------+-------------+-------------+ | e.cap.016/ | FPGA/other | Firmware-p | | | | infra.com. | A | rogrammable | | | | acc.cfg.005 | cceleration | adapter | | | | | H/W | | | | +-------------+-------------+-------------+-------------+-------------+ .. raw:: htmlTable 2-1b: Cloud Infrastructure Software Profile Extensions Requirements for Compute
.. _222-cloud-infrastructure-software-profile-requirements-for-netwokring-source-rm-523: 2.2.2 Cloud Infrastructure Software Profile Requirements for Netwokring (source `RM 5.2.3 <../../../ref_model/chapters/chapter05.md#5.2.3>`__) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The features and configuration requirements related to virtual networking for the two (2) types of Cloud Infrastructure Profiles are specified below followed by networking bandwidth requirements. +-------------+-------------+-------------+-------------+-------------+ | Reference | Description | Requirement | Requirement | Sp | | | | for Basic | for | ecification | | | | Profile | High- | Reference | | | | | Performance | | | | | | Profile | | +=============+=============+=============+=============+=============+ | infra. | IO | Must | Must | | | net.cfg.001 | vir | support | support | | | | tualisation | | | | | | using | | | | | | virtio1.1 | | | | +-------------+-------------+-------------+-------------+-------------+ | infra. | The overlay | Must | *No | | | net.cfg.002 | network | support | requirement | | | | en | VXLAN, | specified* | | | | capsulation | MPLSoUDP, | | | | | protocol | GENEVE, | | | | | needs to | other | | | | | enable ECMP | | | | | | in the | | | | | | underlay to | | | | | | take | | | | | | advantage | | | | | | of the | | | | | | scale-out | | | | | | features of | | | | | | the network | | | | | | fabric | | | | +-------------+-------------+-------------+-------------+-------------+ | infra. | Network | Must | Must | | | net.cfg.003 | Address | support | support | | | | Translation | | | | +-------------+-------------+-------------+-------------+-------------+ | infra. | Security | Must | Must | | | net.cfg.004 | Groups | support | support | | +-------------+-------------+-------------+-------------+-------------+ | infra. | SFC support | Not | Must | | | net.cfg.005 | | required | support | | +-------------+-------------+-------------+-------------+-------------+ | infra. | Traffic | Must | Must | | | net.cfg.006 | patterns | support | support | | | | symmetry | | | | +-------------+-------------+-------------+-------------+-------------+ .. raw:: htmlTable 2-2a: Reference Model Requirements - Virtual Networking
The required number of connection points to a VM is described in ``e.cap.004`` `above <#2.2.1>`__. The table below specifies the required bandwidth of those connection points. +-------------+-------------+-------------+-------------+-------------+ | Reference | Description | Requirement | Requirement | Sp | | | | for Basic | for High | ecification | | | | Profile | Performance | Reference | | | | | Profile | | +=============+=============+=============+=============+=============+ | n1, n2, n3, | 1, 2, 3, 4, | Must | Must | | | n4, n5, n6 | 5, 6 Gbps | support | support | | +-------------+-------------+-------------+-------------+-------------+ | n10, n20, | 10, 20, 30, | Must | Must | | | n30, n40, | 40, 50, 60 | support | support | | | n50, n60 | Gbps | | | | +-------------+-------------+-------------+-------------+-------------+ | n25, n50, | 25, 50, 75, | Optional | Must | | | n75, n100, | 100, 125, | | support | | | n125, n150 | 150 Gbps | | | | +-------------+-------------+-------------+-------------+-------------+ | n50, n100, | 50, 100, | Optional | Must | | | n150, n200, | 150, 200, | | support | | | n250, n300 | 250, 300 | | | | | | Gbps | | | | +-------------+-------------+-------------+-------------+-------------+ | n100, n200, | 100, 200, | Optional | Must | | | n300, n400, | 300, 400, | | support | | | n500, n600 | 500, 600 | | | | | | Gbps | | | | +-------------+-------------+-------------+-------------+-------------+ .. raw:: htmlTable 2-2b: Reference Model Requirements - Network Interface Specifications
.. _2221-cloud-infrastructure-software-profile-extensions-requirements-for-networking: 2.2.2.1 Cloud Infrastructure Software Profile Extensions Requirements for Networking ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------+-------------+-------------+-------------+-------------+ | Reference | Description | Requirement | Requirement | Sp | | | | for Basic | for | ecification | | | | Profile | High- | Reference | | | | | Performance | | | | | | Profile | | +=============+=============+=============+=============+=============+ | e.cap.013/ | SR-IOV over | N | Y | | | infra.hw. | PCI-PT | | | | | nac.cfg.004 | | | | | +-------------+-------------+-------------+-------------+-------------+ | e.cap.019/ | vSwitch | N | Y | | | infra.net. | o | | | | | acc.cfg.001 | ptimisation | | | | | | (DPDK) | | | | +-------------+-------------+-------------+-------------+-------------+ | e.cap.015/ | SmartNIC | N | Optional | | | infra.net. | (for HW | | | | | acc.cfg.002 | Offload) | | | | +-------------+-------------+-------------+-------------+-------------+ | e.cap.009/ | Crypto | N | Optional | | | infra.net. | a | | | | | acc.cfg.003 | cceleration | | | | +-------------+-------------+-------------+-------------+-------------+ | infra.net. | Crypto | N | Optional | | | acc.cfg.004 | A | | | | | | cceleration | | | | | | Interface | | | | +-------------+-------------+-------------+-------------+-------------+ .. raw:: htmlTable 2-2c: Cloud Infrastructure Software Profile Extensions Requirements for Networking
.. _223-cloud-infrastructure-software-profile-requirements-for-storage-source-rm-52: 2.2.3 Cloud Infrastructure Software Profile Requirements for Storage (source `RM 5.2 <../../../ref_model/chapters/chapter05.md#5.2>`__) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------+-------------+-------------+-------------+-------------+ | Reference | Description | Requirement | Requirement | Sp | | | | for Basic | for | ecification | | | | Profile | High- | Reference | | | | | Performance | | | | | | Profile | | +=============+=============+=============+=============+=============+ | infra. | Storage | Must | Must | | | stg.cfg.002 | Block | support | support | | +-------------+-------------+-------------+-------------+-------------+ | infra. | Storage | Not | Must | | | stg.cfg.003 | with | required | support | | | | replication | | | | +-------------+-------------+-------------+-------------+-------------+ | infra. | Storage | Must | Must | | | stg.cfg.004 | with | support | support | | | | encryption | | | | +-------------+-------------+-------------+-------------+-------------+ | infra.stg. | Storage | Not | Must | | | acc.cfg.001 | IOPS | required | support | | | | oriented | | | | +-------------+-------------+-------------+-------------+-------------+ | infra.stg. | Storage | Not | Not | | | acc.cfg.002 | capacity | required | required | | | | oriented | | | | +-------------+-------------+-------------+-------------+-------------+ .. raw:: htmlTable 2-3a: Reference Model Requirements - Cloud Infrastructure Software Profile Requirements for Storage
.. _2231-cloud-infrastructure-software-profile-extensions-requirements-for-storage: 2.2.3.1 Cloud Infrastructure Software Profile Extensions Requirements for Storage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------+-------------+-------------+-------------+-------------+ | Reference | Description | Profile | Profile | Sp | | | | Extensions | Extra-Specs | ecification | | | | | | Reference | +=============+=============+=============+=============+=============+ | infra.stg. | Storage | Storage | | | | acc.cfg.001 | IOPS | Intensive | | | | | oriented | High- | | | | | | performance | | | | | | storage | | | +-------------+-------------+-------------+-------------+-------------+ | infra.stg. | Storage | High | | | | acc.cfg.002 | capacity | Capacity | | | | | oriented | | | | +-------------+-------------+-------------+-------------+-------------+ .. raw:: htmlTable 2-3b: Reference Model Requirements - Cloud Infrastructure Software Profile Extensions Requirements for Storage
.. _224-cloud-infrastructure-hardware-profile-requirements-source-rm-54: 2.2.4 Cloud Infrastructure Hardware Profile Requirements (source `RM 5.4 <../../../ref_model/chapters/chapter05.md#5.4>`__) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------+-------------+-------------+-------------+-------------+ | Reference | Description | Requirement | Requirement | Sp | | | | for Basic | for | ecification | | | | Profile | High- | Reference | | | | | Performance | | | | | | Profile | | +=============+=============+=============+=============+=============+ | i | CPU | | | | | nfra.hw.001 | A | | | | | | rchitecture | | | | | | (Values | | | | | | such as | | | | | | x64, ARM, | | | | | | etc.) | | | | +-------------+-------------+-------------+-------------+-------------+ | infra.hw. | Minimum | 2 | 2 | | | cpu.cfg.001 | number of | | | | | | CPU | | | | | | (Sockets) | | | | +-------------+-------------+-------------+-------------+-------------+ | infra.hw. | Minimum | 20 | 20 | | | cpu.cfg.002 | number of | | | | | | Cores per | | | | | | CPU | | | | +-------------+-------------+-------------+-------------+-------------+ | infra.hw. | NUMA | Not | Must | | | cpu.cfg.003 | | required | support | | +-------------+-------------+-------------+-------------+-------------+ | infra.hw. | S | Must | Must | | | cpu.cfg.004 | imultaneous | support | support | | | | Mu | | | | | | ltithreadin | | | | | | g/Symmetric | | | | | | Mult | | | | | | iprocessing | | | | | | (SMT/SMP) | | | | +-------------+-------------+-------------+-------------+-------------+ | in | Local | *No | *No | | | fra.hw.stg. | Storage HDD | requirement | requirement | | | hdd.cfg.001 | | specified* | specified* | | +-------------+-------------+-------------+-------------+-------------+ | in | Local | Should | Should | | | fra.hw.stg. | Storage SSD | support | support | | | ssd.cfg.002 | | | | | +-------------+-------------+-------------+-------------+-------------+ | infra.hw. | Total | 4 | 4 | | | nic.cfg.001 | Number of | | | | | | NIC Ports | | | | | | available | | | | | | in the host | | | | +-------------+-------------+-------------+-------------+-------------+ | infra.hw. | Port speed | 10 | 25 | | | nic.cfg.002 | specified | | | | | | in Gbps | | | | | | (minimum | | | | | | values) | | | | +-------------+-------------+-------------+-------------+-------------+ | infra.hw. | Number of | 8 | 8 | | | pci.cfg.001 | PCIe slots | | | | | | available | | | | | | in the host | | | | +-------------+-------------+-------------+-------------+-------------+ | infra.hw. | PCIe speed | Gen 3 | Gen 3 | | | pci.cfg.002 | | | | | +-------------+-------------+-------------+-------------+-------------+ | infra.hw. | PCIe Lanes | 8 | 8 | | | pci.cfg.003 | | | | | +-------------+-------------+-------------+-------------+-------------+ | infra.hw. | Compression | *No | *No | | | nac.cfg.003 | | requirement | requirement | | | | | specified* | specified* | | +-------------+-------------+-------------+-------------+-------------+ .. raw:: htmlTable 2-4a: Reference Model Requirements - Cloud Infrastructure Hardware Profile Requirements
.. _2241-cloud-infrastructure-hardware-profile-extensions-requirements-source-rm-54: 2.2.4.1 Cloud Infrastructure Hardware Profile-Extensions Requirements (source `RM 5.4 <../../../ref_model/chapters/chapter05.md#5.4>`__) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +-------------+-------------+-------------+-------------+-------------+ | Reference | Description | Requirement | Requirement | Sp | | | | for Basic | for | ecification | | | | Profile | High- | Reference | | | | | Performance | | | | | | Profile | | +=============+=============+=============+=============+=============+ | e.cap.014/ | GPU | N | Optional | | | infra.hw. | | | | | | cac.cfg.001 | | | | | +-------------+-------------+-------------+-------------+-------------+ | e.cap.016/ | FPGA/other | N | Optional | | | infra.hw. | A | | | | | cac.cfg.002 | cceleration | | | | | | H/W | | | | +-------------+-------------+-------------+-------------+-------------+ | e.cap.009/ | Crypto | N | Optional | | | infra.hw. | A | | | | | nac.cfg.001 | cceleration | | | | +-------------+-------------+-------------+-------------+-------------+ | e.cap.015/ | SmartNIC | N | Optional | | | infra.hw. | | | | | | nac.cfg.002 | | | | | +-------------+-------------+-------------+-------------+-------------+ | infra.hw. | Compression | Optional | Optional | | | nac.cfg.003 | | | | | +-------------+-------------+-------------+-------------+-------------+ | e.cap.013/ | SR-IOV over | N | Yes | | | infra.hw. | PCI-PT | | | | | nac.cfg.004 | | | | | +-------------+-------------+-------------+-------------+-------------+ .. raw:: htmlTable 2-4b: Reference Model Requirements - Cloud Infrastructure Hardware Profile Extensions Requirements
.. _225-cloud-infrastructure-management-requirements-source-rm-415: 2.2.5 Cloud Infrastructure Management Requirements (source `RM 4.1.5 <../../../ref_model/chapters/chapter04.md#415-cloud-infrastructure-management-capabilities>`__) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-----------+-----------------+-----------------+-----------------+ | Reference | Description | Requirement | Specification | | | | (common to all | Reference | | | | Profiles) | | +===========+=================+=================+=================+ | e.man.001 | Capability to | Must support | | | | allocate | | | | | virtual compute | | | | | resources to a | | | | | workload | | | +-----------+-----------------+-----------------+-----------------+ | e.man.002 | Capability to | Must support | | | | allocate | | | | | virtual storage | | | | | resources to a | | | | | workload | | | +-----------+-----------------+-----------------+-----------------+ | e.man.003 | Capability to | Must support | | | | allocate | | | | | virtual | | | | | networking | | | | | resources to a | | | | | workload | | | +-----------+-----------------+-----------------+-----------------+ | e.man.004 | Capability to | Must support | | | | isolate | | | | | resources | | | | | between tenants | | | +-----------+-----------------+-----------------+-----------------+ | e.man.005 | Capability to | Must support | | | | manage workload | | | | | software images | | | +-----------+-----------------+-----------------+-----------------+ | e.man.006 | Capability to | Must support | | | | provide | | | | | information | | | | | related to | | | | | allocated | | | | | virtualised | | | | | resources per | | | | | tenant | | | +-----------+-----------------+-----------------+-----------------+ | e.man.007 | Capability to | Must support | | | | notify state | | | | | changes of | | | | | allocated | | | | | resources | | | +-----------+-----------------+-----------------+-----------------+ | e.man.008 | Capability to | Must support | | | | collect and | | | | | expose | | | | | performance | | | | | information on | | | | | virtualised | | | | | resources | | | | | allocated | | | +-----------+-----------------+-----------------+-----------------+ | e.man.009 | Capability to | Must support | | | | collect and | | | | | notify fault | | | | | information on | | | | | virtualised | | | | | resources | | | +-----------+-----------------+-----------------+-----------------+ .. raw:: htmlTable 2-5: Reference Model Requirements: Cloud Infrastructure Management Requirements
.. _226-cloud-infrastructure-security-requirements: 2.2.6 Cloud Infrastructure Security Requirements ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. _2261-system-hardening-source-rm-791: 2.2.6.1. System Hardening (source `RM 7.9.1 <../../../ref_model/chapters/chapter07.md#791-system-hardening>`__) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +-------------+--------------+------------------+------------------+ | Ref # | sub-category | Description | Traceability | +=============+==============+==================+==================+ | sec.gen.001 | Hardening | The Platform | `RA-1 6.3.6 | | | | **must** | "Security | | | | maintain the | LCM" <./ch | | | | specified | apter06.md#636-s | | | | configuration. | ecurity-lcm>`__, | | | | | `RA-1 7.2 "Cloud | | | | | Infrastructure | | | | | and VIM | | | | | configuration | | | | | manageme | | | | | nt" <./chapter07 | | | | | .md#72-cloud-inf | | | | | rastructure-and- | | | | | vim-configuratio | | | | | n-management>`__ | +-------------+--------------+------------------+------------------+ | sec.gen.002 | Hardening | All systems part | `RA-1 6.3.1.3 | | | | of Cloud | "Password | | | | Infrastructure | policy" <./chapt | | | | **must** support | er06.md#6313-pas | | | | password | sword-policy>`__ | | | | hardening as | | | | | defined in `CIS | | | | | Password Policy | | | | | GuideTable 2-6: Reference Model Requirements - System Hardening Requirements
.. _2262-platform-and-access-source-rm-792: 2.2.6.2. Platform and Access (source `RM 7.9.2 <../../../ref_model/chapters/chapter07.md#792-platform-and-access>`__) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +-------------+--------------+------------------+------------------+ | Ref # | sub-category | Description | Traceability | +=============+==============+==================+==================+ | sec.sys.001 | Access | The Platform | `RA-1 6.3.2.4 | | | | **must** support | "RBA | | | | authenticated | C" <./chapter06. | | | | and secure | md#6324-rbac>`__ | | | | access to API, | | | | | GUI and command | | | | | line interfaces | | +-------------+--------------+------------------+------------------+ | sec.sys.002 | Access | The Platform | `RA-1 6.3.4 | | | | **must** support | "Workload | | | | Traffic | Sec | | | | Filtering for | urity" <./chapte | | | | workloads (for | r06.md#634-workl | | | | example, Fire | oad-security>`__ | | | | Wall). | | +-------------+--------------+------------------+------------------+ | sec.sys.003 | Access | The Platform | `RA-1 6.3.3.1 | | | | **must** support | "Confidentiality | | | | Secure and | and Integrity of | | | | encrypted | communic | | | | communications, | ations" <./chapt | | | | and | er06.md#6331-con | | | | confidentiality | fidentiality-and | | | | and integrity of | -integrity-of-co | | | | network traffic. | mmunications>`__ | +-------------+--------------+------------------+------------------+ | sec.sys.004 | Access | The Cloud | `RA-1 6.3.3.1 | | | | Infrastructure | "Confidentiality | | | | **must** support | and Integrity of | | | | authentication, | communic | | | | integrity and | ations" <./chapt | | | | confidentiality | er06.md#6331-con | | | | on all network | fidentiality-and | | | | channels. | -integrity-of-co | | | | | mmunications>`__ | +-------------+--------------+------------------+------------------+ | sec.sys.005 | Access | The Cloud | `RA-1 6.3.3.1 | | | | Infrastructure | "Confidentiality | | | | **must** | and Integrity of | | | | segregate the | communic | | | | underlay and | ations" <./chapt | | | | overlay | er06.md#6331-con | | | | networks. | fidentiality-and | | | | | -integrity-of-co | | | | | mmunications>`__ | +-------------+--------------+------------------+------------------+ | sec.sys.006 | Access | The Cloud | `RA-1 6.3.2.1 | | | | Infrastructure | "Identity | | | | **must** be able | Secu | | | | to utilise the | rity" <./chapter | | | | Cloud | 06.md#6321-ident | | | | Infrastructure | ity-security>`__ | | | | Manager identity | | | | | lifecycle | | | | | management | | | | | capabilities. | | +-------------+--------------+------------------+------------------+ | sec.sys.007 | Access | The Platform | `RA-1 6.3.2.4 | | | | **must** | "RBA | | | | implement | C" <./chapter06. | | | | controls | md#6324-rbac>`__ | | | | enforcing | | | | | separation of | | | | | duties and | | | | | privileges, | | | | | least privilege | | | | | use and least | | | | | common mechanism | | | | | (Role-Based | | | | | Access Control). | | +-------------+--------------+------------------+------------------+ | sec.sys.008 | Access | The Platform | `RA-1 6.3.4 | | | | **must** be able | "Workload | | | | to assign the | Sec | | | | Entities that | urity" <./chapte | | | | comprise the | r06.md#634-workl | | | | tenant networks | oad-security>`__ | | | | to different | | | | | trust domains. | | | | | (Communication | | | | | between | | | | | different trust | | | | | domains is not | | | | | allowed, by | | | | | default.) | | +-------------+--------------+------------------+------------------+ | sec.sys.009 | Access | The Platform | | | | | **must** support | | | | | creation of | | | | | Trust | | | | | Relationships | | | | | between trust | | | | | domains. These | | | | | maybe | | | | | uni-directional | | | | | relationships | | | | | where the | | | | | trusting domain | | | | | trusts another | | | | | domain (the | | | | | “trusted | | | | | domain”) to | | | | | authenticate | | | | | users for them | | | | | or to allow | | | | | access to its | | | | | resources from | | | | | the trusted | | | | | domain. In a | | | | | bidirectional | | | | | relationship | | | | | both domain are | | | | | “trusting” and | | | | | “trusted”. | | +-------------+--------------+------------------+------------------+ | sec.sys.010 | Access | For two or more | | | | | domains without | | | | | existing trust | | | | | relationships, | | | | | the Platform | | | | | **must not** | | | | | allow the effect | | | | | of an attack on | | | | | one domain to | | | | | impact the other | | | | | domains either | | | | | directly or | | | | | indirectly. | | +-------------+--------------+------------------+------------------+ | sec.sys.011 | Access | The Platform | `RA-1 6.3.1.2 | | | | **must not** | "System | | | | reuse the same | Access" <./cha | | | | authentication | pter06.md#6312-s | | | | credentials | ystem-access>`__ | | | | (e.g., key | | | | | pairs) on | | | | | different | | | | | Platform | | | | | components | | | | | (e.g., different | | | | | hosts, or | | | | | different | | | | | services). | | +-------------+--------------+------------------+------------------+ | sec.sys.012 | Access | The Platform | | | | | **must** protect | | | | | all secrets by | | | | | using strong | | | | | encryption | | | | | techniques and | | | | | storing the | | | | | protected | | | | | secrets | | | | | externally from | | | | | the component | | | | | (e.g., in | | | | | OpenStack | | | | | Barbican) | | +-------------+--------------+------------------+------------------+ | sec.sys.013 | Access | The Platform | | | | | **must** | | | | | generate secrets | | | | | dynamically as | | | | | and when needed. | | +-------------+--------------+------------------+------------------+ | sec.sys.015 | Access | The Platform | | | | | **must not** | | | | | contain back | | | | | door entries | | | | | (unpublished | | | | | access points, | | | | | APIs, etc.). | | +-------------+--------------+------------------+------------------+ | sec.sys.016 | Access | Login access to | `RA-1 6.3.6 | | | | the Platform's | "Security | | | | components | LCM" <./c | | | | **must** be | hapter06.md#636- | | | | through | security-lcm>`__ | | | | encrypted | | | | | protocols such | | | | | as SSH v2 or TLS | | | | | v1.2 or higher. | | | | | Note: Hardened | | | | | jump servers | | | | | isolated from | | | | | external | | | | | networks are | | | | | recommended | | +-------------+--------------+------------------+------------------+ | sec.sys.017 | Access | The Platform | `RA-1 6.3.3.1 | | | | **must** provide | "Confidentiality | | | | the capability | and Integrity of | | | | of using digital | communic | | | | certificates | ations" <./chapt | | | | that comply with | er06.md#6331-con | | | | X.509 standards | fidentiality-and | | | | issued by a | -integrity-of-co | | | | trusted | mmunications>`__ | | | | Certification | | | | | Authority. | | +-------------+--------------+------------------+------------------+ | sec.sys.018 | Access | The Platform | | | | | **must** provide | | | | | the capability | | | | | of allowing | | | | | certificate | | | | | renewal and | | | | | revocation. | | +-------------+--------------+------------------+------------------+ | sec.sys.019 | Access | The Platform | | | | | **must** provide | | | | | the capability | | | | | of testing the | | | | | validity of a | | | | | digital | | | | | certificate (CA | | | | | signature, | | | | | validity period, | | | | | non revocation, | | | | | identity). | | +-------------+--------------+------------------+------------------+ .. raw:: htmlTable 2-7: Reference Model Requirements - Platform and Access Requirements
.. _2263-confidentiality-and-integrity-source-rm793: 2.2.6.3. Confidentiality and Integrity (source `RM7.9.3 <../../../ref_model/chapters/chapter07.md#793-confidentiality-and-integrity>`__) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +------------+-----------------+-----------------+-----------------+ | Ref # | sub-category | Description | Traceability | +============+=================+=================+=================+ | sec.ci.001 | Confidenti | The Platform | `RA-1 6.3.3 | | | ality/Integrity | **must** | " | | | | support | Confidentiality | | | | Confidentiality | and | | | | and Integrity | Inte | | | | of data at rest | grity" <./chapt | | | | and in transit. | er06.md#633-con | | | | | fidentiality-an | | | | | d-integrity>`__ | +------------+-----------------+-----------------+-----------------+ | sec.ci.003 | Confidenti | The Platform | | | | ality/Integrity | **must** | | | | | support | | | | | Confidentiality | | | | | and Integrity | | | | | of data related | | | | | metadata. | | +------------+-----------------+-----------------+-----------------+ | sec.ci.004 | Confidentiality | The Platform | | | | | **must** | | | | | support | | | | | Confidentiality | | | | | of processes | | | | | and restrict | | | | | information | | | | | sharing with | | | | | only the | | | | | process owner | | | | | (e.g., tenant). | | +------------+-----------------+-----------------+-----------------+ | sec.ci.005 | Confidenti | The Platform | | | | ality/Integrity | **must** | | | | | support | | | | | Confidentiality | | | | | and Integrity | | | | | of | | | | | process-related | | | | | metadata and | | | | | restrict | | | | | information | | | | | sharing with | | | | | only the | | | | | process owner | | | | | (e.g., tenant). | | +------------+-----------------+-----------------+-----------------+ | sec.ci.006 | Confidenti | The Platform | | | | ality/Integrity | **must** | | | | | support | | | | | Confidentiality | | | | | and Integrity | | | | | of workload | | | | | resource | | | | | utilisation | | | | | (RAM, CPU, | | | | | Storage, | | | | | Network I/O, | | | | | cache, hardware | | | | | offload) and | | | | | restrict | | | | | information | | | | | sharing with | | | | | only the | | | | | workload owner | | | | | (e.g., tenant). | | +------------+-----------------+-----------------+-----------------+ | sec.ci.007 | Confidenti | The Platform | | | | ality/Integrity | **must not** | | | | | allow Memory | | | | | Inspection by | | | | | any actor other | | | | | than the | | | | | authorised | | | | | actors for the | | | | | Entity to which | | | | | Memory is | | | | | assigned (e.g., | | | | | tenants owning | | | | | the workload), | | | | | for Lawful | | | | | Inspection, and | | | | | for secure | | | | | monitoring | | | | | services. | | | | | Administrative | | | | | access must be | | | | | managed using | | | | | Platform | | | | | Identity | | | | | Lifecycle | | | | | Management. | | +------------+-----------------+-----------------+-----------------+ | sec.ci.008 | Confidentiality | The Cloud | `RA-1 6.3.4 | | | | Infrastructure | "Workload | | | | **must** | Securi | | | | support tenant | ty" <./chapter0 | | | | networks | 6.md#634-worklo | | | | segregation. | ad-security>`__ | +------------+-----------------+-----------------+-----------------+ .. raw:: htmlTable 2-8: Reference Model Requirements: Confidentiality and Integrity Requirements
.. _2264-workload-security-source-rm794: 2.2.6.4. Workload Security (source `RM7.9.4 <../../../ref_model/chapters/chapter07.md#794-workload-security>`__) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +------------+--------------+-------------------+-------------------+ | Ref # | sub-category | Description | Traceability | +============+==============+===================+===================+ | sec.wl.001 | Workload | The Platform | `RA-1 6.3.4 | | | | **must** support | "Workload | | | | Workload | Security" <./chap | | | | placement policy. | ter06.md#634-work | | | | | load-security>`__ | +------------+--------------+-------------------+-------------------+ | sec.wl.002 | Workload | The Cloud | | | | | Infrastructure | | | | | **must** provide | | | | | methods to ensure | | | | | the platform’s | | | | | trust status and | | | | | integrity (e.g., | | | | | remote | | | | | attestation, | | | | | Trusted Platform | | | | | Module). | | +------------+--------------+-------------------+-------------------+ | sec.wl.003 | Workload | The Platform | `RA-1 6.3.4 | | | | **must** support | "Workload | | | | secure | Security" <./chap | | | | provisioning of | ter06.md#634-work | | | | Workloads. | load-security>`__ | +------------+--------------+-------------------+-------------------+ | sec.wl.004 | Workload | The Platform | `RA-1 6.3.4 | | | | **must** support | "Workload | | | | Location | Security" <./chap | | | | assertion (for | ter06.md#634-work | | | | mandated | load-security>`__ | | | | in-country or | | | | | location | | | | | requirements). | | +------------+--------------+-------------------+-------------------+ | sec.wl.005 | Workload | The Platform | This | | | | **must** support | requirement’s | | | | the separation of | verification goes | | | | production and | beyond Anuket | | | | non-production | testing scope | | | | Workloads. | | +------------+--------------+-------------------+-------------------+ | sec.wl.006 | Workload | The Platform | `RA-1 6.3.4 | | | | **must** support | "Workload | | | | the separation of | Security" <./chap | | | | Workloads based | ter06.md#634-work | | | | on their | load-security>`__ | | | | categorisation | | | | | (for example, | | | | | payment card | | | | | information, | | | | | healthcare, etc.) | | +------------+--------------+-------------------+-------------------+ .. raw:: htmlTable 2-9: Reference Model Requirements - Workload Security Requirements
.. _2265-image-security-source-rm795: 2.2.6.5. Image Security (source `RM7.9.5 <../../../ref_model/chapters/chapter07.md#795-image-security>`__) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +-------------+--------------+------------------+------------------+ | Ref # | sub-category | Description | Traceability | +=============+==============+==================+==================+ | sec.img.001 | Image | Images from | `RA-1 6.3.5 | | | | untrusted | "Image | | | | sources **must | Security" <./cha | | | | not** be used. | pter06.md#635-im | | | | | age-security>`__ | +-------------+--------------+------------------+------------------+ | sec.img.002 | Image | Images **must** | `RA-1 6.3.5 | | | | be scanned to be | "Image | | | | maintained free | Security" <./cha | | | | from known | pter06.md#635-im | | | | vulnerabilities. | age-security>`__ | +-------------+--------------+------------------+------------------+ | sec.img.003 | Image | Images **must | | | | | not** be | | | | | configured to | | | | | run with | | | | | privileges | | | | | higher than the | | | | | privileges of | | | | | the actor | | | | | authorised to | | | | | run them. | | +-------------+--------------+------------------+------------------+ | sec.img.004 | Image | Images **must** | `RA-1 6.3.3.2 | | | | only be | "Confidentiality | | | | accessible to | and Integrity of | | | | authorised | communic | | | | actors. | ations" <./chapt | | | | | er06.md#6332-int | | | | | egrity-of-openst | | | | | ack-components-c | | | | | onfiguration>`__ | +-------------+--------------+------------------+------------------+ | sec.img.005 | Image | Image Registries | `RA-1 6.3.3.2 | | | | **must** only be | "Confidentiality | | | | accessible to | and Integrity of | | | | authorised | communic | | | | actors. | ations" <./chapt | | | | | er06.md#6332-int | | | | | egrity-of-openst | | | | | ack-components-c | | | | | onfiguration>`__ | +-------------+--------------+------------------+------------------+ | sec.img.006 | Image | Image Registries | `RA-1 6.3.3.2 | | | | **must** only be | "Confidentiality | | | | accessible over | and Integrity of | | | | networks that | communic | | | | enforce | ations" <./chapt | | | | authentication, | er06.md#6332-int | | | | integrity and | egrity-of-openst | | | | confidentiality. | ack-components-c | | | | | onfiguration>`__ | +-------------+--------------+------------------+------------------+ | sec.img.007 | Image | Image registries | `RA-1 6.3.3.2 | | | | **must** be | "Confidentiality | | | | clear of | and Integrity of | | | | vulnerable and | communica | | | | out of date | tions" <./chapte | | | | versions. | r06.md#6332-inte | | | | | grity-of-opensta | | | | | ck-components-co | | | | | nfiguration>`__, | | | | | `RA-1 6.3.5 | | | | | "Image | | | | | Security" <./cha | | | | | pter06.md#635-im | | | | | age-security>`__ | +-------------+--------------+------------------+------------------+ .. raw:: htmlTable 2-10: Reference Model Requirements - Image Security Requirements
.. _2266-security-lcm-source-rm796: 2.2.6.6. Security LCM (source `RM7.9.6 <../../../ref_model/chapters/chapter07.md#796-security-lcm>`__) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +-------------+--------------+------------------+------------------+ | Ref # | sub-category | Description | Traceability | +=============+==============+==================+==================+ | sec.lcm.001 | LCM | The Platform | `RA-1 6.3.7 | | | | **must** support | "Monitoring and | | | | Secure | Security | | | | Provisioning, | Audit" <./ch | | | | Availability, | apter06.md#637-m | | | | and | onitoring-and-se | | | | Deprovisioning | curity-audit>`__ | | | | (Secure | | | | | Clean-Up) of | | | | | workload | | | | | resources where | | | | | Secure Clean-Up | | | | | includes | | | | | tear-down, | | | | | defense against | | | | | virus or other | | | | | attacks. | | +-------------+--------------+------------------+------------------+ | sec.lcm.002 | LCM | The Cloud | `RA-1 6.3.6 | | | | Operator | "Security | | | | **must** use | LCM" <./c | | | | management | hapter06.md#636- | | | | protocols | security-lcm>`__ | | | | limiting | | | | | security risk | | | | | such as SNMPv3, | | | | | SSH v2, ICMP, | | | | | NTP, syslog and | | | | | TLS v1.2 or | | | | | higher. | | +-------------+--------------+------------------+------------------+ | sec.lcm.003 | LCM | The Cloud | `RA-1 6.3.7 | | | | Operator | "Monitoring and | | | | **must** | Security | | | | implement and | Audit" <./ch | | | | strictly follow | apter06.md#637-m | | | | change | onitoring-and-se | | | | management | curity-audit>`__ | | | | processes for | | | | | Cloud | | | | | Infrastructure, | | | | | Cloud | | | | | Infrastructure | | | | | Manager and | | | | | other components | | | | | of the cloud, | | | | | and Platform | | | | | change control | | | | | on hardware. | | +-------------+--------------+------------------+------------------+ | sec.lcm.005 | LCM | Platform | `RA-1 6.3.7 | | | | **must** provide | "Monitoring and | | | | logs and these | Security | | | | logs must be | Audit" <./ch | | | | monitored for | apter06.md#637-m | | | | anomalous | onitoring-and-se | | | | behaviour. | curity-audit>`__ | +-------------+--------------+------------------+------------------+ | sec.lcm.006 | LCM | The Platform | `RA-1 6.3.3.3 | | | | **must** verify | "Confidentiality | | | | the integrity of | and Integrity of | | | | all Resource | tenant | | | | management | dat | | | | requests. | a" <./chapter06. | | | | | md#6333-confiden | | | | | tiality-and-inte | | | | | grity-of-tenant- | | | | | data-secmon012-a | | | | | nd-secmon013>`__ | +-------------+--------------+------------------+------------------+ | sec.lcm.007 | LCM | The Platform | | | | | **must** be able | | | | | to update newly | | | | | instantiated, | | | | | suspended, | | | | | hibernated, | | | | | migrated and | | | | | restarted images | | | | | with current | | | | | time | | | | | information. | | +-------------+--------------+------------------+------------------+ | sec.lcm.008 | LCM | The Platform | | | | | **must** be able | | | | | to update newly | | | | | instantiated, | | | | | suspended, | | | | | hibernated, | | | | | migrated and | | | | | restarted images | | | | | with relevant | | | | | DNS information. | | +-------------+--------------+------------------+------------------+ | sec.lcm.009 | LCM | The Platform | | | | | **must** be able | | | | | to update the | | | | | tag of newly | | | | | instantiated, | | | | | suspended, | | | | | hibernated, | | | | | migrated and | | | | | restarted images | | | | | with relevant | | | | | geolocation | | | | | (geographical) | | | | | information. | | +-------------+--------------+------------------+------------------+ | sec.lcm.010 | LCM | The Platform | | | | | **must** log all | | | | | changes to | | | | | geolocation | | | | | along with the | | | | | mechanisms and | | | | | sources of | | | | | location | | | | | information | | | | | (i.e. GPS, IP | | | | | block, and | | | | | timing). | | +-------------+--------------+------------------+------------------+ | sec.lcm.011 | LCM | The Platform | `RA-1 6.3.1.5 | | | | **must** | "Patches" | | | | implement | <./chapter06.md# | | | | Security life | 6315-patches>`__ | | | | cycle management | | | | | processes | | | | | including the | | | | | proactive update | | | | | and patching of | | | | | all deployed | | | | | Cloud | | | | | Infrastructure | | | | | software. | | +-------------+--------------+------------------+------------------+ | sec.lcm.012 | LCM | The Platform | `RA-1 6.3.7.2 | | | | **must** log any | "What to | | | | access privilege | Log" <./ch | | | | escalation. | apter06.md#6372- | | | | | what-to-log--wha | | | | | t-not-to-log>`__ | +-------------+--------------+------------------+------------------+ .. raw:: htmlTable 2-11: Reference Model Requirements - Security LCM Requirements
.. _2267-monitoring-and-security-audit-source-rm797: 2.2.6.7. Monitoring and Security Audit (source `RM7.9.7 <../../../ref_model/chapters/chapter07.md#797-monitoring-and-security-audit>`__) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The Platform is assumed to provide configurable alerting and notification capability and the operator is assumed to have automated systems, policies and procedures to act on alerts and notifications in a timely fashion. In the following the monitoring and logging capabilities can trigger alerts and notifications for appropriate action. +-------------+-----------------+-----------------+-----------------+ | Ref # | sub-category | Description | Traceability | +=============+=================+=================+=================+ | sec.mon.001 | M | Platform | `RA-1 6.3.7.1 | | | onitoring/Audit | **must** | "Creating | | | | provide logs | logs" <./chapte | | | | and these logs | r06.md#6371-cre | | | | must be | ating-logs>`__, | | | | regularly | `RA-1 6.3.7.4 | | | | monitored for | "Required | | | | events of | Fie | | | | interest. The | lds" <./chapter | | | | logs **must** | 06.md#6374-requ | | | | contain the | ired-fields>`__ | | | | following | | | | | fields: event | | | | | type, | | | | | date/time, | | | | | protocol, | | | | | service or | | | | | program used | | | | | for access, | | | | | s | | | | | uccess/failure, | | | | | login ID or | | | | | process ID, IP | | | | | address and | | | | | ports (source | | | | | and | | | | | destination) | | | | | involved. | | +-------------+-----------------+-----------------+-----------------+ | sec.mon.002 | Monitoring | Security logs | `RA-1 6.3.7.6 | | | | **must** be | "Security Logs | | | | time | Time | | | | synchronised. | S | | | | | ynchronisation" | | | | | <./chapter06.m | | | | | d#6376-security | | | | | -logs-time-sync | | | | | hronisation>`__ | +-------------+-----------------+-----------------+-----------------+ | sec.mon.003 | Monitoring | The Platform | `RA-1 6.3.7.6 | | | | **must** log | "Security Logs | | | | all changes to | Time | | | | time server | S | | | | source, time, | ynchronisation" | | | | date and time | <./chapter06.m | | | | zones. | d#6376-security | | | | | -logs-time-sync | | | | | hronisation>`__ | +-------------+-----------------+-----------------+-----------------+ | sec.mon.004 | Audit | The Platform | `RA-1 6.3.6 | | | | **must** secure | "Security | | | | and protect | LCM" <./cha | | | | Audit logs | pter06.md#636-s | | | | (containing | ecurity-lcm>`__ | | | | sensitive | | | | | information) | | | | | both in-transit | | | | | and at rest. | | +-------------+-----------------+-----------------+-----------------+ | sec.mon.005 | M | The Platform | `RA-1 6.3.3.2 | | | onitoring/Audit | **must** | " | | | | Monitor and | Confidentiality | | | | Audit various | and Integrity | | | | behaviours of | of | | | | connection and | communications | | | | login attempts | " <./chapter06. | | | | to detect | md#6332-integri | | | | access attacks | ty-of-openstack | | | | and potential | -components-con | | | | access attempts | figuration>`__, | | | | and take | `RA-1 6.3.7.2 | | | | corrective | "What to log, | | | | actions | what not to | | | | accordingly | log" <./chapt | | | | | er06.md#6372-wh | | | | | at-to-log--what | | | | | -not-to-log>`__ | +-------------+-----------------+-----------------+-----------------+ | sec.mon.006 | M | The Platform | `RA-1 6.3.3.2 | | | onitoring/Audit | **must** | "Integrity of | | | | Monitor and | OpenStack | | | | Audit | components | | | | operations by | configuration | | | | authorised | " <./chapter06. | | | | account access | md#6332-integri | | | | after login to | ty-of-openstack | | | | detect | -components-con | | | | malicious | figuration>`__, | | | | operational | `RA-1 6.3.7 | | | | activity and | "Monitoring and | | | | take corrective | Security | | | | actions. | Audit" <./chapt | | | | | er06.md#637-mon | | | | | itoring-and-sec | | | | | urity-audit>`__ | +-------------+-----------------+-----------------+-----------------+ | sec.mon.007 | M | The Platform | `RA-1 6.3.3.2 | | | onitoring/Audit | **must** | "Integrity of | | | | Monitor and | OpenStack | | | | Audit security | components | | | | parameter | configuratio | | | | configurations | n" <./chapter06 | | | | for compliance | .md#6332-integr | | | | with defined | ity-of-openstac | | | | security | k-components-co | | | | policies. | nfiguration>`__ | +-------------+-----------------+-----------------+-----------------+ | sec.mon.008 | M | The Platform | `RA-1 6.3.3.1 | | | onitoring/Audit | **must** | " | | | | Monitor and | Confidentiality | | | | Audit | and Integrity | | | | externally | of | | | | exposed | communication | | | | interfaces for | s" <./chapter06 | | | | illegal access | .md#6331-confid | | | | (attacks) and | entiality-and-i | | | | take corrective | ntegrity-of-com | | | | security | munications>`__ | | | | hardening | | | | | measures. | | +-------------+-----------------+-----------------+-----------------+ | sec.mon.009 | M | The Platform | `RA-1 6.3.3.2 | | | onitoring/Audit | **must** | " | | | | Monitor and | Confidentiality | | | | Audit service | and Integrity | | | | for various | of | | | | attacks | communications | | | | (malformed | " <./chapter06. | | | | messages, | md#6332-integri | | | | signalling | ty-of-openstack | | | | flooding and | -components-con | | | | replaying, | figuration>`__, | | | | etc.) and take | `RA-1 6.3.7 | | | | corrective | "Monitoring and | | | | actions | Security | | | | accordingly. | Audit" <./chapt | | | | | er06.md#637-mon | | | | | itoring-and-sec | | | | | urity-audit>`__ | +-------------+-----------------+-----------------+-----------------+ | sec.mon.010 | M | The Platform | `RA-1 6.3.7 | | | onitoring/Audit | **must** | "Monitoring and | | | | Monitor and | Security | | | | Audit running | Audit" <./chapt | | | | processes to | er06.md#637-mon | | | | detect | itoring-and-sec | | | | unexpected or | urity-audit>`__ | | | | unauthorised | | | | | processes and | | | | | take corrective | | | | | actions | | | | | accordingly. | | +-------------+-----------------+-----------------+-----------------+ | sec.mon.011 | M | The Platform | `RA-1 6.3.7.1 | | | onitoring/Audit | **must** | "Creating | | | | Monitor and | logs" <./chapt | | | | Audit logs from | er06.md#6371-cr | | | | infrastructure | eating-logs>`__ | | | | elements and | | | | | workloads to | | | | | detected | | | | | anomalies in | | | | | the system | | | | | components and | | | | | take corrective | | | | | actions | | | | | accordingly. | | +-------------+-----------------+-----------------+-----------------+ | sec.mon.012 | M | The Platform | `RA-1 6.3.3.3 | | | onitoring/Audit | **must** | " | | | | Monitor and | Confidentiality | | | | Audit Traffic | and Integrity | | | | patterns and | of tenant | | | | volumes to | data" <./ | | | | prevent malware | chapter06.md#63 | | | | download | 33-confidential | | | | attempts. | ity-and-integri | | | | | ty-of-tenant-da | | | | | ta-secmon012-an | | | | | d-secmon013>`__ | +-------------+-----------------+-----------------+-----------------+ | sec.mon.013 | Monitoring | The monitoring | | | | | system **must | | | | | not** affect | | | | | the security | | | | | (integrity and | | | | | c | | | | | onfidentiality) | | | | | of the | | | | | infrastructure, | | | | | workloads, or | | | | | the user data | | | | | (through back | | | | | door entries). | | +-------------+-----------------+-----------------+-----------------+ | sec.mon.015 | Monitoring | The Platform | `RA-1 6.3.7 | | | | **must** ensure | "Monitoring and | | | | that the | Security | | | | Monitoring | Audit" <./chapt | | | | systems are | er06.md#637-mon | | | | never starved | itoring-and-sec | | | | of resources | urity-audit>`__ | | | | and **must** | | | | | activate alarms | | | | | when resource | | | | | utilisation | | | | | exceeds a | | | | | configurable | | | | | threshold. | | +-------------+-----------------+-----------------+-----------------+ | sec.mon.017 | Audit | The Platform | `RA-1 6.3.1.5 | | | | **must** audit | "Patches" <. | | | | systems for any | /chapter06.md#6 | | | | missing | 315-patches>`__ | | | | security | | | | | patches and | | | | | take | | | | | appropriate | | | | | actions. | | +-------------+-----------------+-----------------+-----------------+ | sec.mon.018 | Monitoring | The Platform, | `RA-1 6.3.7.3 | | | | starting from | "Where to | | | | initialisation, | Log" <./chap | | | | **must** | ter06.md#6373-w | | | | collect and | here-to-log>`__ | | | | analyse logs to | | | | | identify | | | | | security | | | | | events, and | | | | | store these | | | | | events in an | | | | | external | | | | | system. | | +-------------+-----------------+-----------------+-----------------+ | sec.mon.019 | Monitoring | The Platform’s | `RA-1 6.3.7.2 | | | | components | "What to | | | | **must not** | Log" <./chapt | | | | include an | er06.md#6372-wh | | | | authentication | at-to-log--what | | | | credential, | -not-to-log>`__ | | | | e.g., password, | | | | | in any logs, | | | | | even if | | | | | encrypted. | | +-------------+-----------------+-----------------+-----------------+ | sec.mon.020 | M | The Platform’s | `RA-1 6.3.7.5 | | | onitoring/Audit | logging system | "Data | | | | **must** | Rete | | | | support the | ntion <./chapte | | | | storage of | r06.md#6375-dat | | | | security audit | a-retention>`__ | | | | logs for a | | | | | configurable | | | | | period of time. | | +-------------+-----------------+-----------------+-----------------+ | sec.mon.021 | Monitoring | The Platform | `RA-1 6.3.7.3 | | | | **must** store | "Where to | | | | security events | Log" <./chap | | | | locally if the | ter06.md#6373-w | | | | external | here-to-log>`__ | | | | logging system | | | | | is unavailable | | | | | and shall | | | | | periodically | | | | | attempt to send | | | | | these to the | | | | | external | | | | | logging system | | | | | until | | | | | successful. | | +-------------+-----------------+-----------------+-----------------+ .. raw:: htmlTable 2-12: Reference Model Requirements - Monitoring and Security Audit Requirements
.. _2268-open-source-software-source-rm798: 2.2.6.8. Open-Source Software (source `RM7.9.8 <../../../ref_model/chapters/chapter07.md#798-open-source-sotfware>`__) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +-------------+--------------+-----------------------+--------------+ | Ref # | sub-category | Description | Traceability | +=============+==============+=======================+==============+ | sec.oss.001 | Software | Open-source code | | | | | **must** be inspected | | | | | by tools with various | | | | | capabilities for | | | | | static and dynamic | | | | | code analysis. | | +-------------+--------------+-----------------------+--------------+ | sec.oss.002 | Software | The CVE(Common | | | | | Vulnerabilities and | | | | | Exposures) **must** | | | | | be used to identify | | | | | vulnerabilities and | | | | | their severity rating | | | | | for open-source code | | | | | part of Cloud | | | | | Infrastructure and | | | | | workloads software, | | | | | `https:// | | | | | cve.mitre.org/Table 2-13: Reference Model Requirements - Open-Source Software Security Requirements
.. _2269-iaac-security-source-rm799: 2.2.6.9. IaaC security (source `RM7.9.9 <../../../ref_model/chapters/chapter07.md#799-iaac---secure-design-and-architecture-stage-requirements>`__) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ **Secure Code Stage Requirements** +--------------+--------------+----------------------+--------------+ | Ref # | sub-category | Description | Traceability | +==============+==============+======================+==============+ | sec.code.001 | IaaC | SAST -Static | | | | | Application Security | | | | | Testing **must** be | | | | | applied during | | | | | Secure Coding stage | | | | | triggered by Pull, | | | | | Clone or Comment | | | | | trigger. Security | | | | | testing that | | | | | analyses application | | | | | source code for | | | | | software | | | | | vulnerabilities and | | | | | gaps against best | | | | | practices. Example: | | | | | open source OWASP | | | | | range of tools. | | +--------------+--------------+----------------------+--------------+ .. raw:: htmlTable 2-14: Reference Model Requirements: IaaC Security Requirements, Secure Code Stage
**Continuous Build, Integration and Testing Stage Requirements** +-------------+--------------+-----------------------+--------------+ | Ref # | sub-category | Description | Traceability | +=============+==============+=======================+==============+ | sec.bld.003 | IaaC | Container and Image | | | | | Scan **must** be | | | | | applied during the | | | | | Continuous Build, | | | | | Integration and | | | | | Testing stage | | | | | triggered by Package | | | | | trigger. Example: A | | | | | push of a container | | | | | image to a container | | | | | registry may trigger | | | | | a vulnerability scan | | | | | before the image | | | | | becomes available in | | | | | the registry. | | +-------------+--------------+-----------------------+--------------+ .. raw:: htmlTable 2-15: Reference Model Requirements - IaaC Security Requirements, Continuous Build, Integration and Testing Stage
**Continuous Delivery and Deployment Stage Requirements** +-------------+--------------+-----------------------+--------------+ | Ref # | sub-category | Description | Traceability | +=============+==============+=======================+==============+ | sec.del.001 | IaaC | Image Scan **must** | | | | | be applied during the | | | | | Continuous Delivery | | | | | and Deployment stage | | | | | triggered by Publish | | | | | to Artifact and Image | | | | | Repository trigger. | | | | | Example: GitLab uses | | | | | the open source Clair | | | | | engine for container | | | | | image scanning. | | +-------------+--------------+-----------------------+--------------+ | sec.del.002 | IaaC | Code Signing **must** | | | | | be applied during the | | | | | Continuous Delivery | | | | | and Deployment stage | | | | | triggered by Publish | | | | | to Artifact and Image | | | | | Repository trigger. | | | | | Code Signing provides | | | | | authentication to | | | | | assure that | | | | | downloaded files are | | | | | form the publisher | | | | | named on the | | | | | certificate. | | +-------------+--------------+-----------------------+--------------+ | sec.del.004 | IaaC | Component | | | | | Vulnerability Scan | | | | | **must** be applied | | | | | during the Continuous | | | | | Delivery and | | | | | Deployment stage | | | | | triggered by | | | | | Instantiate | | | | | Infrastructure | | | | | trigger. The | | | | | vulnerability | | | | | scanning system is | | | | | deployed on the cloud | | | | | platform to detect | | | | | security | | | | | vulnerabilities of | | | | | specified components | | | | | through scanning and | | | | | to provide timely | | | | | security protection. | | | | | Example: OWASP Zed | | | | | Attack Proxy (ZAP). | | +-------------+--------------+-----------------------+--------------+ .. raw:: htmlTable 2-16: Reference Model Requirements - IaaC Security Requirements, Continuous Delivery and Deployment Stage
**Runtime Defence and Monitoring Requirements** +-------------+--------------+-----------------------+--------------+ | Ref # | sub-category | Description | Traceability | +=============+==============+=======================+==============+ | sec.run.001 | IaaC | Component | | | | | Vulnerability | | | | | Monitoring **must** | | | | | be continuously | | | | | applied during the | | | | | Runtime Defence and | | | | | Monitoring stage. | | | | | Security technology | | | | | that monitors | | | | | components like | | | | | virtual servers and | | | | | assesses data, | | | | | applications, and | | | | | infrastructure for | | | | | security risks. | | +-------------+--------------+-----------------------+--------------+ .. raw:: htmlTable 2-17: Reference Model Requirements - IaaC Security Requirements, Runtime Defence and Monitoring Stage
.. _22610-compliance-with-standards-source-rm7910: 2.2.6.10. Compliance with Standards (source `RM7.9.10 <../../../ref_model/chapters/chapter07.md#7910-compliance-with-standards>`__) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +-------------+--------------+-----------------------+--------------+ | Ref # | sub-category | Description | Traceability | +=============+==============+=======================+==============+ | sec.std.012 | Standards | The Public Cloud | | | | | Operator **must**, | | | | | and the Private Cloud | | | | | Operator **may** be | | | | | certified to be | | | | | compliant with the | | | | | International | | | | | Standard on Awareness | | | | | Engagements (ISAE) | | | | | 3402 (in the US: SSAE | | | | | 16); International | | | | | Standard on Awareness | | | | | Engagements (ISAE) | | | | | 3402. US Equivalent: | | | | | SSAE16. | | +-------------+--------------+-----------------------+--------------+ .. raw:: htmlTable 2-18: Reference Model Requirements: Cloud Infrastructure Security Requirements
.. _23-architecture-and-openstack-requirements: 2.3 Architecture and OpenStack Requirements ------------------------------------------- "Architecture" in this chapter refers to Cloud infrastructure (referred to as NFVI by ETSI) + VIM (as specified in Reference Model Chapter 3). .. _231-general-requirements: 2.3.1 General Requirements ~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------+--------------+-------------------+-------------------+ | Ref # | sub-category | Description | Traceability | +============+==============+===================+===================+ | gen.ost.01 | Open source | The Architecture | `RA-1 | | | | **must** use | 5.3 <./cha | | | | OpenStack APIs. | pter05.md#5.3>`__ | +------------+--------------+-------------------+-------------------+ | gen.ost.02 | Open source | The Architecture | `RA-1 | | | | **must** support | 5.3 <./chapter05. | | | | dynamic request | md#53-consolidate | | | | and configuration | d-set-of-apis>`__ | | | | of virtual | | | | | resources | | | | | (compute, | | | | | network, storage) | | | | | through OpenStack | | | | | APIs. | | +------------+--------------+-------------------+-------------------+ | gen.rsl.01 | Resiliency | The Architecture | | | | | **must** support | | | | | resilient | | | | | OpenStack | | | | | components that | | | | | are required for | | | | | the continued | | | | | availability of | | | | | running | | | | | workloads. | | +------------+--------------+-------------------+-------------------+ | gen.avl.01 | Availability | The Architecture | `RA-1 4.2 | | | | **must** provide | "Underlying | | | | High Availability | Res | | | | for OpenStack | ources" <./chapte | | | | components. | r04.md#42-underly | | | | | ing-resources>`__ | +------------+--------------+-------------------+-------------------+ .. raw:: htmlTable 2-19: General Requirements
.. _232-infrastructure-requirements: 2.3.2 Infrastructure Requirements ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------+--------------+-------------------+-------------------+ | Ref # | sub-category | Description | Traceability | +============+==============+===================+===================+ | inf.com.01 | Compute | The Architecture | `RA-1 3.3.1.4 | | | | **must** provide | "Cloud Workload | | | | compute resources | Service | | | | for VM instances. | s" <./chapter03.m | | | | | d#3314-cloud-work | | | | | load-services>`__ | +------------+--------------+-------------------+-------------------+ | inf.com.04 | Compute | The Architecture | `RA-1 4.4.1. | | | | **must** be able | "Support for | | | | to support | Cloud | | | | multiple CPU type | Infrastructure | | | | options to | Profiles and | | | | support various | flavors" <./chapt | | | | infrastructure | er04.md#4.4.1>`__ | | | | profiles (Basic | | | | | and High | | | | | Performance). | | +------------+--------------+-------------------+-------------------+ | inf.com.05 | Compute | The Architecture | `RA-1 4.4.1. | | | | **must** support | "Support for | | | | Hardware | Cloud | | | | Platforms with | Infrastructure | | | | NUMA | Profiles and | | | | capabilities. | flavors" <./chapt | | | | | er04.md#4.4.1>`__ | +------------+--------------+-------------------+-------------------+ | inf.com.06 | Compute | The Architecture | `RA-1 4.4.1. | | | | **must** support | "Support for | | | | CPU Pinning of | Cloud | | | | the vCPUs of VM | Infrastructure | | | | instance. | Profiles and | | | | | flavors" <./chapt | | | | | er04.md#4.4.1>`__ | +------------+--------------+-------------------+-------------------+ | inf.com.07 | Compute | The Architecture | `RA-1 3.3.3. | | | | **must** support | "Host aggregates | | | | different | providing | | | | hardware | resource | | | | configurations to | pooling | | | | support various | " <./chapter03.md | | | | infrastructure | #333-host-aggrega | | | | profiles (Basic | tes-providing-res | | | | and High | ource-pooling>`__ | | | | Performance). | | +------------+--------------+-------------------+-------------------+ | inf.com.08 | Compute | The Architecture | `Dedicating host | | | | **must** support | cores to certain | | | | allocating | workloads (e.g., | | | | certain number of | OpenStack | | | | host cores for | serv | | | | all non-tenant | ices)Table 2-20: Infrastructure Requirements
.. _233-vim-requirements: 2.3.3 VIM Requirements ~~~~~~~~~~~~~~~~~~~~~~ +--------+--------------+---------------------+---------------------+ | Ref # | sub-category | Description | Traceability | +========+==============+=====================+=====================+ | vim.01 | General | The Architecture | `RA-1 3.2. | | | | **must** allow | "Consumable | | | | infrastructure | Infrastructure | | | | resource sharing. | Resources and | | | | | Servi | | | | | ces" <./chapter03.m | | | | | d#32-consumable-inf | | | | | rastructure-resourc | | | | | es-and-services>`__ | +--------+--------------+---------------------+---------------------+ | vim.03 | General | The Architecture | `RA-1 5.2.7. | | | | **must** allow VIM | "Placem | | | | to discover and | ent" <./chapter05.m | | | | manage Cloud | d#527-placement>`__ | | | | Infrastructure | | | | | resources. | | +--------+--------------+---------------------+---------------------+ | vim.05 | General | The Architecture | `RA-1 4.3.1.2. | | | | **must** include | "G | | | | image repository | lance" <./chapter04 | | | | management. | .md#4312-glance>`__ | +--------+--------------+---------------------+---------------------+ | vim.07 | General | The Architecture | `RA-1 3.2.1. | | | | **must** support | "Multi-Tenancy" <. | | | | multi-tenancy. | /chapter03.md#321-m | | | | | ulti-tenancy-execut | | | | | ion-environment>`__ | +--------+--------------+---------------------+---------------------+ | vim.08 | General | The Architecture | `"OpenStack | | | | **must** support | Resource | | | | resource tagging. | Tags"Table 2-21: VIM Requirements
.. _234-interfaces--apis-requirements: 2.3.4 Interfaces & APIs Requirements ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------+--------------+-------------------+-------------------+ | Ref # | sub-category | Description | Traceability | +============+==============+===================+===================+ | int.api.01 | API | The Architecture | `RA-1 5.2.1 | | | | **must** provide | "Keystone | | | | APIs to access | " <./chapter05.md | | | | the | #521-keystone>`__ | | | | authentication | | | | | service and the | | | | | associated | | | | | mandatory | | | | | features detailed | | | | | in chapter 5. | | +------------+--------------+-------------------+-------------------+ | int.api.02 | API | The Architecture | `RA-1 5.2.2 | | | | **must** provide | "Glan | | | | APIs to access | ce" <./chapter05. | | | | the image | md#522-glance>`__ | | | | management | | | | | service and the | | | | | associated | | | | | mandatory | | | | | features detailed | | | | | in chapter 5. | | +------------+--------------+-------------------+-------------------+ | int.api.03 | API | The Architecture | `RA-1 5.2.3 | | | | **must** provide | "Cind | | | | APIs to access | er" <./chapter05. | | | | the block storage | md#523-cinder>`__ | | | | management | | | | | service and the | | | | | associated | | | | | mandatory | | | | | features detailed | | | | | in chapter 5. | | +------------+--------------+-------------------+-------------------+ | int.api.04 | API | The Architecture | `RA-1 5.2.4 | | | | **must** provide | "Sw | | | | APIs to access | ift" <./chapter05 | | | | the object | .md#524-swift>`__ | | | | storage | | | | | management | | | | | service and the | | | | | associated | | | | | mandatory | | | | | features detailed | | | | | in chapter 5. | | +------------+--------------+-------------------+-------------------+ | int.api.05 | API | The Architecture | `RA-1 5.2.5 | | | | **must** provide | "Neutro | | | | APIs to access | n" <./chapter05.m | | | | the network | d#525-neutron>`__ | | | | management | | | | | service and the | | | | | associated | | | | | mandatory | | | | | features detailed | | | | | in chapter 5. | | +------------+--------------+-------------------+-------------------+ | int.api.06 | API | The Architecture | `RA-1 5.2.6 | | | | **must** provide | " | | | | APIs to access | Nova" <./chapter0 | | | | the compute | 5.md#526-nova>`__ | | | | resources | | | | | management | | | | | service and the | | | | | associated | | | | | mandatory | | | | | features detailed | | | | | in chapter 5. | | +------------+--------------+-------------------+-------------------+ | int.api.07 | API | The Architecture | `RA-1 4.3.1.9 | | | | **must** provide | "Horizon | | | | GUI access to | " <./chapter04.md | | | | tenant facing | #4319-horizon>`__ | | | | cloud platform | | | | | core services | | | | | except at | | | | | Edge/Far Edge | | | | | clouds. | | +------------+--------------+-------------------+-------------------+ | int.api.08 | API | The Architecture | `RA-1 5.2.7. | | | | **must** provide | "Placement" | | | | APIs needed to | <./chapter05.md# | | | | discover and | 527-placement>`__ | | | | manage Cloud | | | | | Infrastructure | | | | | resources. | | +------------+--------------+-------------------+-------------------+ | int.api.09 | API | The Architecture | `RA-1 5.2.8 | | | | **must** provide | " | | | | APIs to access | Heat" <./chapter0 | | | | the orchestration | 5.md#528-heat>`__ | | | | service. | | +------------+--------------+-------------------+-------------------+ | int.api.10 | API | The Architecture | `RA-1 5.2 Core | | | | must expose the | OpenStack | | | | latest version | Services | | | | and microversion | APIs | | | | of the APIs for | <./chapter05.md#5 | | | | the given Anuket | 2-core-openstack- | | | | OpenStack release | services-apis>`__ | | | | for each of the | | | | | OpenStack core | | | | | services. | | +------------+--------------+-------------------+-------------------+ .. raw:: htmlTable 2-22: Interfaces and APIs Requirements
.. _235-tenant-requirements: 2.3.5 Tenant Requirements ~~~~~~~~~~~~~~~~~~~~~~~~~ +------------+--------------+-------------------+-------------------+ | Ref # | sub-category | Description | Traceability | +============+==============+===================+===================+ | tnt.gen.01 | General | The Architecture | `RA-1 4.3.1.9 | | | | **must** support | "Horizon | | | | self-service | " <./chapter04.md | | | | dashboard (GUI) | #4319-horizon>`__ | | | | and APIs for | and `3.3.1.4 | | | | users to deploy, | Cloud Workload | | | | configure and | Servic | | | | manage their | es <./chapter03.m | | | | workloads. | d#3314-cloud-work | | | | | load-services>`__ | +------------+--------------+-------------------+-------------------+ .. raw:: htmlTable 2-23: Tenant Requirements
.. _236-operations-and-lcm: 2.3.6 Operations and LCM ~~~~~~~~~~~~~~~~~~~~~~~~ +------------+-------------------+-------------------+--------------+ | Ref # | sub-category | Description | Traceability | +============+===================+===================+==============+ | lcm.gen.01 | General | The Architecture | | | | | must support zero | | | | | downtime of | | | | | running workloads | | | | | when the number | | | | | of compute hosts | | | | | and/or the | | | | | storage capacity | | | | | is being expanded | | | | | or unused | | | | | capacity is being | | | | | removed. | | +------------+-------------------+-------------------+--------------+ | lcm.adp.02 | Automated | The Architecture | | | | deployment | must support | | | | | upgrades of | | | | | software, | | | | | provided by the | | | | | cloud provider, | | | | | so that the | | | | | running workloads | | | | | are not impacted | | | | | (viz., hitless | | | | | upgrades). Please | | | | | note that this | | | | | means that the | | | | | existing data | | | | | plane services | | | | | should not fail | | | | | (go down). | | +------------+-------------------+-------------------+--------------+ .. raw:: htmlTable 2-24: LCM Requirements
.. _237-assurance-requirements: 2.3.7 Assurance Requirements ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------+--------------+------------------------+--------------+ | Ref # | sub-category | Description | Traceability | +============+==============+========================+==============+ | asr.mon.01 | Integration | The Architecture | | | | | **must** include | | | | | integration with | | | | | various infrastructure | | | | | components to support | | | | | collection of | | | | | telemetry for | | | | | assurance monitoring | | | | | and network | | | | | intelligence. | | +------------+--------------+------------------------+--------------+ | asr.mon.03 | Monitoring | The Architecture | | | | | **must** allow for the | | | | | collection and | | | | | dissemination of | | | | | performance and fault | | | | | information. | | +------------+--------------+------------------------+--------------+ | asr.mon.04 | Network | The Cloud | | | | | Infrastructure Network | | | | | Fabric and Network | | | | | Operating System | | | | | **must** provide | | | | | network operational | | | | | visibility through | | | | | alarming and streaming | | | | | telemetry services for | | | | | operational | | | | | management, | | | | | engineering planning, | | | | | troubleshooting, and | | | | | network performance | | | | | optimisation. | | +------------+--------------+------------------------+--------------+ .. raw:: htmlTable 2-25: Assurance Requirements
.. _24-architecture-and-openstack-recommendations: 2.4 Architecture and OpenStack Recommendations ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The requirements listed in this section are optional, and are not required in order to be deemed a conformant implementation. .. _241-general-recommendations: 2.4.1 General Recommendations ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------+-----------------+-----------------+-----------------+ | Ref # | sub-category | Description | Notes | +============+=================+=================+=================+ | gen.cnt.01 | Cloud | The | OpenStack | | | nativeness | Architecture | consists of | | | | **should** | both stateless | | | | consist of | and stateful | | | | stateless | services where | | | | service | the stateful | | | | components. | services | | | | However, where | utilise a | | | | state is | database. For | | | | required it | latter see | | | | must be kept | "`Configuring | | | | external to the | the stateful | | | | component. | ser | | | | | vicesTable 2-26: General Recommendations
.. _242-infrastructure-recommendations: 2.4.2 Infrastructure Recommendations ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------+--------------+-------------------+-------------------+ | Ref # | sub-category | Description | Notes | +============+==============+===================+===================+ | inf.com.02 | Compute | The Architecture | | | | | **should** | | | | | include industry | | | | | standard hardware | | | | | management | | | | | systems at both | | | | | HW device level | | | | | (embedded) and HW | | | | | platform level | | | | | (external to | | | | | device). | | +------------+--------------+-------------------+-------------------+ | inf.com.03 | Compute | The Architecture | | | | | **should** | | | | | support Symmetric | | | | | Multiprocessing | | | | | with shared | | | | | memory access as | | | | | well as | | | | | Simultaneous | | | | | Multithreading. | | +------------+--------------+-------------------+-------------------+ | inf.stg.08 | Storage | The Architecture | | | | | **should** allow | | | | | use of externally | | | | | provided large | | | | | archival storage | | | | | for its Backup / | | | | | Restore / | | | | | Archival needs. | | +------------+--------------+-------------------+-------------------+ | inf.stg.09 | Storage | The Architecture | | | | | **should** make | | | | | available all | | | | | non-host OS / | | | | | Hypervisor / Host | | | | | systems storage | | | | | as network-based | | | | | Block, File or | | | | | Object Storage | | | | | for | | | | | tenant/management | | | | | consumption. | | +------------+--------------+-------------------+-------------------+ | inf.stg.10 | Storage | The Architecture | `RA-1 "Virtual | | | | **should** | Storage" <./ch | | | | provide local | apter03.md#323-vi | | | | Block storage for | rtual-storage>`__ | | | | VM Instances. | | +------------+--------------+-------------------+-------------------+ | inf.ntw.04 | Network | The Architecture | | | | | **should** | | | | | support service | | | | | function | | | | | chaining. | | +------------+--------------+-------------------+-------------------+ | inf.ntw.06 | Network | The Architecture | | | | | **should** | | | | | support | | | | | Distributed | | | | | Virtual Routing | | | | | (DVR) to allow | | | | | compute nodes to | | | | | route traffic | | | | | efficiently. | | +------------+--------------+-------------------+-------------------+ | inf.ntw.08 | Network | The Cloud | | | | | Infrastructure | | | | | Network Fabric | | | | | **should** | | | | | embrace the | | | | | concepts of open | | | | | networking and | | | | | disaggregation | | | | | using commodity | | | | | networking | | | | | hardware and | | | | | disaggregated | | | | | Network Operating | | | | | Systems. | | +------------+--------------+-------------------+-------------------+ | inf.ntw.09 | Network | The Cloud | | | | | Infrastructure | | | | | Network Fabric | | | | | **should** | | | | | embrace | | | | | open-based | | | | | standards and | | | | | technologies. | | +------------+--------------+-------------------+-------------------+ | inf.ntw.11 | Network | The Cloud | | | | | Infrastructure | | | | | Network Fabric | | | | | **should** be | | | | | architected to | | | | | provide a | | | | | standardised, | | | | | scalable, and | | | | | repeatable | | | | | deployment model | | | | | across all | | | | | applicable Cloud | | | | | Infrastructure | | | | | sites. | | +------------+--------------+-------------------+-------------------+ | inf.ntw.17 | Network | The Architecture | | | | | **should** use | | | | | dual stack IPv4 | | | | | and IPv6 for | | | | | Cloud | | | | | Infrastructure | | | | | internal | | | | | networks. | | +------------+--------------+-------------------+-------------------+ | inf.acc.01 | Acceleration | The Architecture | `RA-1 3.2.6. | | | | **should** | "Acceleration" <. | | | | support | /chapter03.md#326 | | | | Application | -acceleration>`__ | | | | Specific | | | | | Acceleration | | | | | (exposed to | | | | | VNFs). | | +------------+--------------+-------------------+-------------------+ | inf.acc.02 | Acceleration | The Architecture | `"OpenStack | | | | **should** | Future - Specs | | | | support Cloud | defined"Table 2-27: Infrastructure Recommendations
.. _243-vim-recommendations: 2.4.3 VIM Recommendations ~~~~~~~~~~~~~~~~~~~~~~~~~ +--------+--------------+---------------------+---------------------+ | Ref # | sub-category | Description | Notes | +========+==============+=====================+=====================+ | vim.02 | General | The Architecture | `RA-1 4.3.2. | | | | **should** support | "Containerised | | | | deployment of | OpenStack | | | | OpenStack | Services" | | | | components in | <./chapter04.md#43 | | | | containers. | 2-containerised-ope | | | | | nstack-services>`__ | +--------+--------------+---------------------+---------------------+ | vim.04 | General | The Architecture | | | | | **should** support | | | | | Enhanced Platform | | | | | Awareness (EPA) | | | | | only for discovery | | | | | of infrastructure | | | | | resource | | | | | capabilities. | | +--------+--------------+---------------------+---------------------+ | vim.06 | General | The Architecture | | | | | **should** allow | | | | | orchestration | | | | | solutions to be | | | | | integrated with | | | | | VIM. | | +--------+--------------+---------------------+---------------------+ | vim.09 | General | The Architecture | | | | | **should** support | | | | | horizontal scaling | | | | | of OpenStack core | | | | | services. | | +--------+--------------+---------------------+---------------------+ .. raw:: htmlTable 2-28: VIM Recommendations
.. _244-interfaces-and-apis-recommendations: 2.4.4 Interfaces and APIs Recommendations ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------+--------------+-------------------+-------------------+ | Ref # | sub-category | Description | Notes | +============+==============+===================+===================+ | int.acc.01 | Acceleration | The Architecture | | | | | **should** | | | | | provide an open | | | | | and standard | | | | | acceleration | | | | | interface to | | | | | VNFs. | | +------------+--------------+-------------------+-------------------+ | int.acc.02 | Acceleration | The Architecture | duplicate of | | | | **should not** | inf.acc.03 under | | | | rely on SR-IOV | "Infrastructure | | | | PCI-Pass through | Recommendations" | | | | for acceleration | | | | | interface exposed | | | | | to VNFs. | | +------------+--------------+-------------------+-------------------+ .. raw:: htmlTable 2-29: Interfaces and APIs Recommendations
.. _245-tenant-recommendations: 2.4.5 Tenant Recommendations ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This section is left blank for future use. ===== ============ =========== ===== Ref # sub-category Description Notes ===== ============ =========== ===== ===== ============ =========== ===== .. raw:: htmlTable 2-30: Tenant Recommendations
.. _246-operations-and-lcm-recommendations: 2.4.6 Operations and LCM Recommendations ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------+----------------------+----------------------+-------+ | Ref # | sub-category | Description | Notes | +============+======================+======================+=======+ | lcm.adp.01 | Automated deployment | The Architecture | | | | | **should** allow for | | | | | “cookie cutter” | | | | | automated | | | | | deployment, | | | | | configuration, | | | | | provisioning and | | | | | management of | | | | | multiple Cloud | | | | | Infrastructure | | | | | sites. | | +------------+----------------------+----------------------+-------+ | lcm.adp.03 | Automated deployment | The Architecture | | | | | **should** support | | | | | hitless upgrade of | | | | | all software | | | | | provided by the | | | | | cloud provider that | | | | | are not covered by | | | | | lcm.adp.02. Whenever | | | | | hitless upgrades are | | | | | not feasible, | | | | | attempt should be | | | | | made to minimise the | | | | | duration and nature | | | | | of impact. | | +------------+----------------------+----------------------+-------+ | lcm.adp.04 | Automated deployment | The Architecture | | | | | **should** support | | | | | declarative | | | | | specifications of | | | | | hardware and | | | | | software assets for | | | | | automated | | | | | deployment, | | | | | configuration, | | | | | maintenance and | | | | | management. | | +------------+----------------------+----------------------+-------+ | lcm.adp.05 | Automated deployment | The Architecture | | | | | **should** support | | | | | automated process | | | | | for Deployment and | | | | | life-cycle | | | | | management of VIM | | | | | Instances. | | +------------+----------------------+----------------------+-------+ | lcm.cid.02 | CI/CD | The Architecture | | | | | **should** support | | | | | integrating with | | | | | CI/CD Toolchain for | | | | | Cloud Infrastructure | | | | | and VIM components | | | | | Automation. | | +------------+----------------------+----------------------+-------+ .. raw:: htmlTable 2-31: LCM Recommendations
.. _247-assurance-recommendations: 2.4.7 Assurance Recommendations ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +------------+--------------+-------------------------------+-------+ | Ref # | sub-category | Description | Notes | +============+==============+===============================+=======+ | asr.mon.02 | Monitoring | The Architecture **should** | | | | | support Network Intelligence | | | | | capabilities that allow | | | | | richer diagnostic | | | | | capabilities which take as | | | | | input broader set of data | | | | | across the network and from | | | | | VNF workloads. | | +------------+--------------+-------------------------------+-------+ .. raw:: htmlTable 2-32: Assurance Recommendations
.. _248-security-recommendations: 2.4.8 Security Recommendations ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. _2481-system-hardening-source-rm-791: 2.4.8.1. System Hardening (source `RM 7.9.1 <../../../ref_model/chapters/chapter07.md#791-system-hardening>`__) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +-------------+--------------+------------------------------+-------+ | Ref # | sub-category | Description | Notes | +=============+==============+==============================+=======+ | sec.gen.011 | Hardening | The Cloud Infrastructure | | | | | **should** support Read and | | | | | Write only storage | | | | | partitions (write only | | | | | permission to one or more | | | | | authorised actors). | | +-------------+--------------+------------------------------+-------+ | sec.gen.014 | Hardening | All servers part of Cloud | | | | | Infrastructure **should** | | | | | support measured boot and an | | | | | attestation server that | | | | | monitors the measurements of | | | | | the servers. | | +-------------+--------------+------------------------------+-------+ .. raw:: htmlTable 2-33: System Hardening Recommendations
.. _2482-platform-and-access-source-rm-792: 2.4.8.2. Platform and Access (source `RM 7.9.2 <../../../ref_model/chapters/chapter07.md#792-platform-and-access>`__) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +-------------+--------------+------------------+------------------+ | Ref # | sub-category | Description | Notes | +=============+==============+==================+==================+ | sec.sys.014 | Access | The Platform | | | | | **should** use | | | | | Linux Security | | | | | Modules such as | | | | | SELinux to | | | | | control access | | | | | to resources. | | +-------------+--------------+------------------+------------------+ | sec.sys.020 | Access | The Cloud | Zero Trust | | | | Infrastructure | Architecture | | | | architecture | (ZTA) described | | | | **should** rely | in NIST SP | | | | on Zero Trust | 800-207 | | | | principles to | | | | | build a secure | | | | | by design | | | | | environment. | | +-------------+--------------+------------------+------------------+ .. raw:: htmlTable 2-34: Platform and Access Recommendations
.. _2483-confidentiality-and-integrity-source-rm793: 2.4.8.3. Confidentiality and Integrity (source `RM7.9.3 <../../../ref_model/chapters/chapter07.md#793-confidentiality-and-integrity>`__) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +------------+----------------------+----------------------+-------+ | Ref # | sub-category | Description | Notes | +============+======================+======================+=======+ | sec.ci.002 | Confi | The Platform | | | | dentiality/Integrity | **should** support | | | | | self-encrypting | | | | | storage devices | | +------------+----------------------+----------------------+-------+ | sec.ci.009 | Confi | For sensitive data | | | | dentiality/Integrity | encryption, the key | | | | | management service | | | | | **should** leverage | | | | | a Hardware Security | | | | | Module to manage and | | | | | protect | | | | | cryptographic keys. | | +------------+----------------------+----------------------+-------+ .. raw:: htmlTable 2-35: Confidentiality and Integrity Recommendations
.. _2484-workload-security-source-rm794: 2.4.8.4. Workload Security (source `RM7.9.4 <../../../ref_model/chapters/chapter07.md#794-workload-security>`__) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +------------+--------------+-------------------------------+-------+ | Ref # | sub-category | Description | Notes | +============+==============+===============================+=======+ | sec.wl.007 | Workload | The Operator **should** | | | | | implement processes and tools | | | | | to verify VNF authenticity | | | | | and integrity. | | +------------+--------------+-------------------------------+-------+ .. raw:: htmlTable 2-36: Workload Security Recommendations
.. _2485-image-security-source-rm795: 2.4.8.5. Image Security (source `RM7.9.5 <../../../ref_model/chapters/chapter07.md#795-image-security>`__) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This section is left blank for future use. ===== ============ =========== ===== Ref # sub-category Description Notes ===== ============ =========== ===== ===== ============ =========== ===== .. raw:: htmlTable 2-37: Image Security Recommendations
.. _2486-security-lcm-source-rm796: 2.4.8.6. Security LCM (source `RM7.9.6 <../../../ref_model/chapters/chapter07.md#796-security-lcm>`__) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +-------------+--------------+------------------------------+-------+ | Ref # | sub-category | Description | Notes | +=============+==============+==============================+=======+ | sec.lcm.004 | LCM | The Cloud Operator | | | | | **should** support automated | | | | | templated approved changes; | | | | | Templated approved changes | | | | | for automation where | | | | | available | | +-------------+--------------+------------------------------+-------+ .. raw:: htmlTable 2-38: LCM Security Recommendations
.. _2487-monitoring-and-security-audit-source-rm797: 2.4.8.7. Monitoring and Security Audit (source `RM7.9.7 <../../../ref_model/chapters/chapter07.md#797-monitoring-and-security-audit>`__) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The Platform is assumed to provide configurable alerting and notification capability and the operator is assumed to have automated systems, policies and procedures to act on alerts and notifications in a timely fashion. In the following the monitoring and logging capabilities can trigger alerts and notifications for appropriate action. +-------------+--------------+------------------------------+-------+ | Ref # | sub-category | Description | Notes | +=============+==============+==============================+=======+ | sec.mon.014 | Monitoring | The Monitoring systems | | | | | **should** not impact IaaS, | | | | | PaaS, and SaaS SLAs | | | | | including availability SLAs | | +-------------+--------------+------------------------------+-------+ | sec.mon.016 | Monitoring | The Platform Monitoring | | | | | components **should** follow | | | | | security best practices for | | | | | auditing, including secure | | | | | logging and tracing | | +-------------+--------------+------------------------------+-------+ .. raw:: htmlTable 2-39: Monitoring and Security Audit Recommendations
.. _2488-open-source-software-security-source-rm798: 2.4.8.8. Open-Source Software Security (source `RM7.9.8 <../../../ref_model/chapters/chapter07.md#798-open-source-sotfware>`__) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +-------------+--------------+------------------+------------------+ | Ref # | sub-category | Description | Notes | +=============+==============+==================+==================+ | sec.oss.004 | Software | A Software Bill | `https://w | | | | of Materials | ww.ntia.gov/SBOM | | | | (SBOM) |Table 2-40: Open-Source Software Security Recommendations
.. _2489-iaac-security-source-rm799: 2.4.8.9. IaaC security (source `RM7.9.9 <../../../ref_model/chapters/chapter07.md#799-iaac---secure-design-and-architecture-stage-requirements>`__) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ **Secure Design and Architecture Stage** +--------------+--------------+------------------+------------------+ | Ref # | sub-category | Description | Notes | +==============+==============+==================+==================+ | sec.arch.001 | IaaC | Threat Modelling | It may be done | | | | methodologies | manually or | | | | and tools | using tools like | | | | **should** be | open source | | | | used during the | OWASP Threat | | | | Secure Design | Dragon | | | | and Architecture | | | | | stage triggered | | | | | by Software | | | | | Feature Design | | | | | trigger. | | | | | Methodology to | | | | | identify and | | | | | understand | | | | | threats | | | | | impacting a | | | | | resource or set | | | | | of resources. | | +--------------+--------------+------------------+------------------+ | sec.arch.002 | IaaC | Security Control | Typically done | | | | Baseline | manually by | | | | Assessment | internal or | | | | **should** be | independent | | | | performed during | assessors. | | | | the Secure | | | | | Design and | | | | | Architecture | | | | | stage triggered | | | | | by Software | | | | | Feature Design | | | | | trigger. | | +--------------+--------------+------------------+------------------+ .. raw:: htmlTable 2-41: Reference Model Requirements: IaaC Security, Design and Architecture Stage
**Secure Code Stage Requirements** +--------------+--------------+------------------+------------------+ | Ref # | sub-category | Description | Notes | +==============+==============+==================+==================+ | sec.code.002 | IaaC | SCA – Software | Example: open | | | | Composition | source OWASP | | | | Analysis | range of tools. | | | | **should** be | | | | | applied during | | | | | Secure Coding | | | | | stage triggered | | | | | by Pull, Clone | | | | | or Comment | | | | | trigger. | | | | | Security testing | | | | | that analyses | | | | | application | | | | | source code or | | | | | compiled code | | | | | for software | | | | | components with | | | | | known | | | | | vulnerabilities. | | +--------------+--------------+------------------+------------------+ | sec.code.003 | IaaC | Source Code | Typically done | | | | Review | manually. | | | | **should** be | | | | | performed | | | | | continuously | | | | | during Secure | | | | | Coding stage. | | +--------------+--------------+------------------+------------------+ | sec.code.004 | IaaC | Integrated SAST | | | | | via IDE Plugins | | | | | **should** be | | | | | used during | | | | | Secure Coding | | | | | stage triggered | | | | | by Developer | | | | | Code trigger. On | | | | | the local | | | | | machine: through | | | | | the IDE or | | | | | integrated test | | | | | suites; | | | | | triggered on | | | | | completion of | | | | | coding by | | | | | developer. | | +--------------+--------------+------------------+------------------+ | sec.code.005 | IaaC | SAST of Source | | | | | Code Repo | | | | | **should** be | | | | | performed during | | | | | Secure Coding | | | | | stage triggered | | | | | by Developer | | | | | Code trigger. | | | | | Continuous | | | | | delivery | | | | | pre-deployment: | | | | | scanning prior | | | | | to deployment. | | +--------------+--------------+------------------+------------------+ .. raw:: htmlTable 2-42: Reference Model Requirements: IaaC Security, Secure Code Stage
**Continuous Build, Integration and Testing Stage Requirements** +-------------+--------------+------------------+------------------+ | Ref # | sub-category | Description | Notes | +=============+==============+==================+==================+ | sec.bld.001 | IaaC | SAST -Static | Example: open | | | | Application | source OWASP | | | | Security Testing | range of tools. | | | | **should** be | | | | | applied during | | | | | the Continuous | | | | | Build, | | | | | Integration and | | | | | Testing stage | | | | | triggered by | | | | | Build and | | | | | Integrate | | | | | trigger. | | +-------------+--------------+------------------+------------------+ | sec.bld.002 | IaaC | SCA – Software | Example: open | | | | Composition | source OWASP | | | | Analysis | range of tools. | | | | **should** be | | | | | applied during | | | | | the Continuous | | | | | Build, | | | | | Integration and | | | | | Testing stage | | | | | triggered by | | | | | Build and | | | | | Integrate | | | | | trigger. | | +-------------+--------------+------------------+------------------+ | sec.bld.004 | IaaC | DAST – Dynamic | Example: OWASP | | | | Application | ZAP. | | | | Security Testing | | | | | **should** be | | | | | applied during | | | | | the Continuous | | | | | Build, | | | | | Integration and | | | | | Testing stage | | | | | triggered by | | | | | Stage & Test | | | | | trigger. | | | | | Security testing | | | | | that analyses a | | | | | running | | | | | application by | | | | | exercising | | | | | application | | | | | functionality | | | | | and detecting | | | | | vulnerabilities | | | | | based on | | | | | application | | | | | behaviour and | | | | | response. | | +-------------+--------------+------------------+------------------+ | sec.bld.005 | IaaC | Fuzzing | Example: GitLab | | | | **should** be | Open Sources | | | | applied during | Protocol Fuzzer | | | | the Continuous | Community | | | | Build, | Edition. | | | | Integration and | | | | | testing stage | | | | | triggered by | | | | | Stage & Test | | | | | trigger. Fuzzing | | | | | or fuzz testing | | | | | is an automated | | | | | software testing | | | | | technique that | | | | | involves | | | | | providing | | | | | invalid, | | | | | unexpected, or | | | | | random data as | | | | | inputs to a | | | | | computer | | | | | program. | | +-------------+--------------+------------------+------------------+ | sec.bld.006 | IaaC | IAST – | Example: | | | | Interactive | Contrast | | | | Application | Community | | | | Security Testing | Edition. | | | | **should** be | | | | | applied during | | | | | the Continuous | | | | | Build, | | | | | Integration and | | | | | Testing stage | | | | | triggered by | | | | | Stage & Test | | | | | trigger. | | | | | Software | | | | | component | | | | | deployed with an | | | | | application that | | | | | assesses | | | | | application | | | | | behaviour and | | | | | detects presence | | | | | of | | | | | vulnerabilities | | | | | on an | | | | | application | | | | | being exercised | | | | | in realistic | | | | | testing | | | | | scenarios. | | +-------------+--------------+------------------+------------------+ .. raw:: htmlTable 2-43: Reference Model Requirements: IaaC Security, Continuous Build, Integration and Testing Stage
**Continuous Delivery and Deployment Stage Requirements** +-------------+--------------+------------------+------------------+ | Ref # | sub-category | Description | Notes | +=============+==============+==================+==================+ | sec.del.003 | IaaC | Artifact and | Example: GitLab | | | | Image Repository | uses the open | | | | Scan **should** | source Clair | | | | be continuously | engine for | | | | applied during | container | | | | the Continuous | scanning. | | | | Delivery and | | | | | Deployment | | | | | stage. | | +-------------+--------------+------------------+------------------+ .. raw:: htmlTable 2-44: Reference Model Requirements: IaaC Security, Continuous Delivery and Deployment Stage
**Runtime Defence and Monitoring Requirements** +-------------+--------------+------------------+------------------+ | Ref # | sub-category | Description | Notes | +=============+==============+==================+==================+ | sec.run.002 | IaaC | RASP – Runtime | | | | | Application | | | | | Self-Protection | | | | | **should** be | | | | | continuously | | | | | applied during | | | | | the Runtime | | | | | Defence and | | | | | Monitoring | | | | | stage. Security | | | | | technology | | | | | deployed within | | | | | the target | | | | | application in | | | | | production for | | | | | detecting, | | | | | alerting, and | | | | | blocking | | | | | attacks. | | +-------------+--------------+------------------+------------------+ | sec.run.003 | IaaC | Application | Example: GitLab | | | | testing and | Open Sources | | | | Fuzzing | Protocol Fuzzer | | | | **should** be | Community | | | | continuously | Edition. | | | | applied during | | | | | the Runtime | | | | | Defence and | | | | | Monitoring | | | | | stage. Fuzzing | | | | | or fuzz testing | | | | | is an automated | | | | | software testing | | | | | technique that | | | | | involves | | | | | providing | | | | | invalid, | | | | | unexpected, or | | | | | random data as | | | | | inputs to a | | | | | computer | | | | | program. | | +-------------+--------------+------------------+------------------+ | sec.run.004 | IaaC | Penetration | Typically done | | | | Testing | manually. | | | | **should** be | | | | | continuously | | | | | applied during | | | | | the Runtime | | | | | Defence and | | | | | Monitoring | | | | | stage. | | +-------------+--------------+------------------+------------------+ .. raw:: htmlTable 2-45: Reference Model Requirements: Iaac Security, Runtime Defence and Monitoring Stage
.. _24810-compliance-with-standards-source-rm7910: 2.4.8.10. Compliance with Standards (source `RM7.9.10 <../../../ref_model/chapters/chapter07.md#7910-compliance-with-standards>`__) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +-------------+--------------+------------------------------+-------+ | Ref # | sub-category | Description | Notes | +=============+==============+==============================+=======+ | sec.std.001 | Standards | The Cloud Operator | | | | | **should** comply with | | | | | Center for Internet Security | | | | | CIS Controls | | | | | (`https: | | | | | //www.cisecurity.org/Table 2-46: Security Recommendations