This document explains the procedures, checks and validations that DEISER follows in order to provide a way to audit the infrastructure dedicated to Cloud add-ons published on Atlassian Marketplace.
Security perimeter:
The assets, components and networks that will be affected by the audit are:
AWS account that belongs to DEISER
All artifacts, machines, environments, storages, databases and networks created in DEISER's AWS account
Access to AWS components and networks by DEISER's employees
Thread list:
Thread | Description |
---|---|
DigitalOcean Account access | Access to the DigitalOcean Account. |
Data backup | DEISER's add-ons have databases to store the connections and subscriptions, this databases are managed by DigitalOcean as well as their backups. |
Sensitive customer data | We don't store customers or users sensitive data. |
Deployment automatization | DEISER has an automated process to deploy code from the repository (Bitbucket) passing through Bamboo and finally deployed to AWS instances. |
Unauthorized access or hacking to DigitalOcean components | All this security is managed by DigitalOcean internal security procedures: |
Audit checklist and procedure:
This checklist details all the procedures that need to be checked in order to pass the audit.
...
Status | Action | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Access list to DigitalOcean instances and services. Only the admins and designed people should have access | ||||||||||||||||||
Check DigitalOcean databases instances are doing the backups according to the selected configuration | |||||||||||||||||||
Check DigitalOcean instances are running and their alerts and notifications are attended and well redirected to admins | |||||||||||||||||||
Check all the steps that connect the repository (Bitbucket) with Bamboo and that this one makes a correct deploy to DigitalOcean |
Audit regularity definition:
There should be a mandatory audit every year unless there has been a security breach recently, in that case there must be a complete audit before restarting the service.
...