Object Storage v2025.01

[damienjburks]

Please use this space to discuss the release candidate for Object Storage.

The controls catalog to review may be downloaded here: CCC.ObjStor_2025.01.pdf

Please follow this guide for CMB discussions: CMB Feedback Guide

Note

Remember to use "Add a Comment" to create a new feedback entry, and use "Write a reply" to extend or debate an existing point. Release managers may moderate posts for organizational or conduct purposes.

Release Manager: Damien Burks (@damienjburks)

[jmeridth]

A fix occurred in #592 removing some duplication. Can we please get a new release? Thank you. /cc @damienjburks

[damienjburks]

@jmeridth Yes - I'll create a new release once the feedback window has been closed.

[jmeridth]

@jmeridth Yes - I'll create a new release once the feedback window has been closed.

Thank you.

As I'm new here, I've not found where that timeframe is stated. Where is that info found? Thank you in advance.

[damienjburks]

@jmeridth It should be in your emails from the CMB distro. If not, I can resend it with the itinerary. Just send me your email so I can confirm you're on the list of subscribed emails.

[CharlesGCyber]

Reviewed both VPC and Object Storage controls. Controls align with stated threats. Sampled the mappings to other benchmarks as well as MITRE and do not see any misalignment.

[sarahecraddock]

Looks like there's a typo in CCC.C03.TR02, it reads:
When an entity attempts to view information presented by the service, service, the service MUST attempt to verify the client's identity through an authentication process.

I guess this should be:
When an entity attempts to view information presented by the service, the service MUST attempt to verify the client's identity through an authentication process.

[damienjburks]

This has been resolved.

[sarahecraddock]

There are two definitions for CCC.c04.TR01 in the controls YAML file:

1. When any access attempt is made to the service, the service MUST log the client identity, time, and result of the attempt.
2. When any access attempt is made to the view sensitive information, the service MUST log the client identity, time, and result of the attempt.

How would you advise testing these? (e.g. are there any recommended actions here) And how should we classify sensitive information, does that just mean data plane information i.e. data stored in the storage account?

[damienjburks]

This is a great question. The testing methodology will depend on the CSP. But ideally, you'll want to ensure that you leverage a cloud-native logging/monitoring solution (e.g. AWS CloudTrail/CloudWatch) and ensure that you have data logging enabled for cloud storage resources to build your detective controls around it.

Data classification should be decided based on the nature of the business you're conducting and regulatory requirements.

@mlysaght2017 - feel free to add more to clarify the questions that have been asked as well.

[sarahecraddock]

A couple of the tests under CCC.ObjStor.C05 are mis-titled as CCC.ObjStor.C06, namely TR02 and TR03.

[damienjburks]

Ref: #647

[damienjburks]

Official Release: https://github.com/finos/common-cloud-controls/releases/tag/v2025.01.ObjStor

For any additional updates or feedback, please reach out to the ccc-communications+subscribe@lists.finos.org.

[sarahecraddock]

Another quick question, this time on CCC_ObjStor_C01_TR01, which reads:
"When a request is made to read a protected bucket, the service MUST prevent any request using KMS keys not listed as trusted by the organization."

Is this referring to CMK encryption keys here? Or another type of key authentication?

[damienjburks]

CMK encryption keys and vendor managed keys.

[sarahecraddock]

One more quick one, CCC.C04.TR01 is defined twice, should these be CCC.C04.TR01 & CCC.C04.TR02 and then the current CCC.C04.TR02 bumped to CCC.C04.TR02?

[eddie-knight]

Was this resolved by #592 ?