Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This document explains the procedures, checks and validations that DEISER follows in order to provide a way to audit the infrastructure dedicated to Cloud add-ons published on Atlassian Marketplace.

Security perimeter:

The assets, components and networks that will be affected by the audit are:

  • AWS account that belongs to DEISER

  • All artifacts, machines, environments, storages, databases and networks created in DEISER's AWS account

  • Access to AWS components and networks by DEISER's employees

Thread list:

Thread

Description

DigitalOcean Account access

Access to the DigitalOcean Account.

Data backup

DEISER's add-ons have databases to store the connections and subscriptions, this databases are managed by DigitalOcean as well as their backups.

Sensitive customer data

We don't store customers or users sensitive data.

Deployment automatization

DEISER has an automated process to deploy code from the repository (Bitbucket) passing through Bamboo and finally deployed to AWS instances.

Unauthorized access or hacking to DigitalOcean components

All this security is managed by DigitalOcean internal security procedures:
https://www.digitalocean.com/legal/data-security/


Audit checklist and procedure:

This checklist details all the procedures that need to be checked in order to pass the audit.

...

Status

Action

Status
colourGreen
titleOK

Status
colourYellow
titleneeds revision

Status
colourRed
titlenot passed

Access list to DigitalOcean instances and services. Only the admins and designed people should have access


Check DigitalOcean databases instances are doing the backups according to the selected configuration


Check DigitalOcean instances are running and their alerts and notifications are attended and well redirected to admins


Check all the steps that connect the repository (Bitbucket) with Bamboo and that this one makes a correct deploy to DigitalOcean

Audit regularity definition:

There should be a mandatory audit every year unless there has been a security breach recently, in that case there must be a complete audit before restarting the service.

...