finos / compliant-financial-infrastructure Goto Github PK

As raised on the Cloud Service Certification call on 30th January 2020 Ken D'Aura from The Hartford - Insurance Firm

Roadmap item : How does Cloud Service Certification maintain the security of the environment and the protection of the environment for open source consumers?

Description

This issue describes changes to be made by @maoo at FINOS to the Cloud Service Certification team in GitHub now Peter Thomas (@peterrhysthomas) from Deutsche Bank has been approved as the CSC Lead Maintainer. See #54 #56

The changes below should happen to the following team https://github.com/orgs/finos/teams/fdx-cloud-cert/members

Action Items

1. Add Peter Thomas as Lead Maintainer (@peterrhysthomas) to Cloud Service Certification.
2. Remove Jason Nelson (@git-hub-forwork1) from the Cloud Service Certification GitHub team until further notice.
3. Remove Rob Underwood (@brooklynrob) from the Cloud Service Certification GitHub team until further notice.
4. No change to Abdullah Garcia (@abdullahgarcia) from JPMC.

Description

The FINOS team is creating an infographic that communicates how to raise a new Cloud Service Certification service contribution and needs your input to refine.

First Infographic Concept

The following proof of concept demonstrates how the infographic could work. However, in order to refine fully, we call upon your experience to give thoughts, feedback and ideas.

Feedback and Sketches in the Comments

Please put your thoughts and feedback in the comments. Also, feel free to pencil your own sketch in the comments if that helps communicate your point of view 🚀

Definition and Delivery of Kubernetes across AWS, GCP and Azure.

Service Accelerator Templates

• GCP GKE Service Accelerator Template (#65) - @alfredtommy
• AWS EKS Service Accelerator Template (#66) - @abdullahgarcia
• Azure AKS Service Accelerator Template (#67) - @tmewett && @TLATER
• OpenShift Service Accelerator Template (#92) - @J0EG

Infrastructure as Code

• GCP GKE IaC (#65) - @alfredtommy

BDD Tests and Future 'Tests First' Initiatives

• Functional and Declarative BDD Testing Examples #62, #84, #91 - @leefaus && @eddie-knight

Description

Translate the Cloud Service Certification DynamoDB test cases into Gherkin BDD scripts using the following the DynamoDB Test Cases Documentation for reference.

DynamoDB Test Cases Documentation

• https://github.com/finos/cloud-service-certification/blob/master/aws/dynamodb/DynamoDB-Test-Cases-Documentation.md

Test Cases to Translate

• 2.1 All DynamoDB tables are created with SSE enabled
  • Scenario – User creates a DynamoDB table with SSE encryption enabled
  • CloudTrail Event – Create a DynamoDB table with SSE enabled
  • Scenario – User creates a DynamoDB table without SSE enabled
  • CloudTrail Event - Create a DynamoDB table without SSE enabled
• 2.2 All DynamoDB tables must remain encrypted at rest by SSE
  • Scenario – DescribeTable with SSE enabled
  • Scenario – DescribeTable without SSE enabled
• 2.3 Users are prohibited from creating DynamoDB tables without SSE enabled
  • Scenario – User creates a DynamoDB table with SSE encryption enabled
  • CloudTrail Event – Create a DynamoDB table with SSE enabled
  • Scenario – User creates a DynamoDB table without SSE enabled
  • CloudTrail Event - Create a DynamoDB table without SSE enabled
• 2.4 Be able to create an SSE protected DynamoDB table
  • Scenario – User creates a DynamoDB table with SSE encryption enabled
  • CloudTrail Event – Create a DynamoDB table with SSE enabled
  • Scenario – User creates a DynamoDB table without SSE enabled
  • CloudTrail Event - Create a DynamoDB table without SSE enabled
• 2.5 Users can only connect to DynamoDB through HTTPS
  • Scenario – User access DynamoDB over HTTPS endpoint
  • Scenario – User attempts access DynamoDB over HTTP endpoint
• 2.6 Allow AWS Services to inherit an IAM role to access DynamoDB
  • Scenario – Lambda is granted permission to DynamoDB
• 2.7 Update IAM policy to restrict access to a partition key or attribute in a DynamoDB table
  • Scenario – IAM policy that restricts access to a specific partition key in a DynamoDB table
  • Scenario – IAM policy that restricts access to a specific attribute in a DynamoDB table
• 2.8 DynamoDB is only accessible via a VPC Endpoint
  • Scenario – A user creates a VPC endpoint
  • CloudTrail Event – A user makes a request to DynamoDB across a VPC endpoint
  • CloudTrail Event – A user makes a request to DynamoDB across the public internet
• 2.9 All DynamoDB API calls are recorded in CloudTrail
  • 2.10 Restrict DynamoDB access through IAM roles
  • Scenario – IAM policy that restricts access to Read-Only on a specific DynamoDB table

Date

Thursday 5 November 2020 - 12pm EST / 5pm UK

Untracked attendees

Agenda

• Convene, roll call, welcome new people
• Approve previous meeting minutes - https://github.com/finos/cloud-service-certification/issues?
• Cloud Service Certification Project Kanban Review
  • Including @alfredtommy pull request review of GKE TF scripts #73 outcome from Wednesday 4th November @ 2pm UK / 9am ET
• Introduction from EDMC and CDMC team - Oli Bage (Refinitiv) & Richard Perris (Morgan Stanley)
• Walk through of 'ready to consume' CDMC policy - Oli Bage & Richard Perris
  • Comparison to existing CSC Service Accelerator Template - @peterrhysthomas to chair
• AOB, Q&A & Adjourn (5mins)

Previous Action Updates

• @eddie-knight to form an opinion and report the viability of Pulumi and BDD Tests #62 including @leefaus & @alfredtommy
• @tmewett to move forward with Consider Asciidoc for document markup #70 by combining with #72 if viable and appropriate.

WebEx info

Webex:
https://finos.webex.com/finos/j.php?MTID=m4b7c03efc2237c6685c1846e6d815cc3

Dial-in
US +1-415-655-0003 US Toll
UK +44-20319-88141 UK Toll
Access code: 127 062 3555

Github Repo: https://github.com/finos/cloud-service-certification/
Project Wiki Page: https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/904626436/Cloud+Service+Certification+Project

Date

Thursday 07 May 2020 - 10am EST

Untracked attendees

• Dominic Dumrauf - CitiHub

Agenda

• Convene, roll call, welcome new people (5 min) - @git-hub-forwork1
• Review action items from previous meetings (5 min) - @git-hub-forwork1
  • https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/1569226806/2020-04-23+Cloud+Service+Certification+Project+Meeting
• Cloud Service Certification Kanban Review (20 min) - @git-hub-forwork1
  • Let's review the CSC kanban to make sure the right items are in play and reflected correctly.
  • Action Items
    • As recorded in this GitHub Issue
  • In Progress
    • #16
    • #18
    • #12
  • Prioritised
    • finos/community#19
      • Relates to : #11
    • #13
    • #23
• CSC project team reviewing code contributions and pull requests (15 min) - @git-hub-forwork1
  • It's been raised by the project we need a method of review contributions and pull requests that equally spans all project members. This item has been added to discuss next steps for creating a group of moderators.
• Cloud Service Certification Group Review of CitiHub Compliance as Code GitHub Project (10 min)
  • Freedie Leadsom, Daniella Zheleva and Peter Thomas from Deutsche Bank feedback following CitiHub project review with Matt Gall and Ian Tivey from CitiHub - Action taken at 2020-04-23 Cloud Service Certification Project Meeting
  • https://github.com/citihub/compliance-as-code-whitepaper
• AOB & adjourn (5 min) - @git-hub-forwork1

Decisions Made

• Progressed Issue - #18
• Progressed Issue - #16
• Closed Issue - #12

Open Action Items

• Coordinate meeting with @git-hub-forwork1 to add more CSS project leads and maintainers to the project
• Coordinate with Deutsche Bank and CitiHub regarding bringing coordinated activity into the open
• Coordinate with @jamilmina1 on Red Hat cloud service classifications and adding Kubernetes activity to the agenda
• Share FINOS Project Collaboration on Github and Contribution Compliance Requirements with the group.

Closed Items

• Ian Tivey to talk to CitiHub clients about joining Cloud Service Certification and their use of Kubernetes
• James McLeod to introduce Freddie Leadsom to the FINOS Open Source Readiness Project
• James McLeod to coordinate - Peter Thomas suggested connecting with Matt Gall to align methodologies, as the CitiHub team are advising a different area of Deutsche Bank.
• James McLeod to coordinate - Peter Thomas would like suggestions on what would be useful to contribute to FINOS.
• James McLeod to coordinate - Jamil Mina suggests Red Hat conduct a session where the Red Hat team can help answer how to commoditise open source software.

WebEx info

Webex:
https://finos.webex.com/finos/j.php?MTID=me0b8e6061812f875505b0caaceac3321

Dial-in
+1-415-655-0003 US Toll
+44-20319-88141 UK Toll
Access code: 662 732 581

Github Repo: https://github.com/finos-fdx/cloud-service-certification/
Project Wiki Page: https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/904626436/Cloud+Service+Certification+Project

Completed Issues and Merged Pull Requests

• Delivery of Google Kubernetes Engine (GKE) Service for GCP including Security Command Center #44
• Service Approval Accelerator for GKE service in GCP #48
• Create Terraform scripts for deployment of GKE cluster and node pools as defined in Service Approval Accelerator template
• Creation of peripheral modules
• Testing and validation of above mentioned scripts
• Raise PR request accordingly #73

Description

Define the Service Approval Accelerator for PostgreSQL using the Service Approval Accelerator Template for reference.

Tasks

• Create an azure\postgresql folder structure in the Cloud Services Certification project root.
• Define the Service Approval Accelerator for PostgreSQL as markdown.
• Commit Service Approval Accelerator for PostgreSQL to azure\postgresql folder .
• Raise PR to project team for review and merge.

Service Approval Accelerator Template

The following is the Service Approval Accelerator Template on GitHub.

https://github.com/finos/cloud-service-certification/blob/master/templates/ServiceApprovalAcceleratorTemplate.md

Although I haven't had the privilege of directly working with Peter, I do believe he is the best fit for the Cloud Service Certification Lead Maintainer given his pedantry and his insights..

This item was discussed during #35 and relates to #37

Description

The Service Approval Accelerator Template contains information specific to RedShift.

This item is to remove technology specific language so the Service Approval Accelerator Template is white labeled and can be applied across all service types.

Success Criteria

• Specific technology references are removed from the Service Approval Accelerator Template.
• Technology references are replaced with language that does not confuse the purpose of the Service Approval Accelerator Template.
• Changes are reviewed by @git-hub-forwork1 / @peterrhysthomas by pull request.
• Accepted changes added to CSC agenda by @git-hub-forwork1 / @peterrhysthomas to feed back during next CSC group meeting.

Description

As raised on the Cloud Service Certification call on 30th January 2020 : Can the work produced by the Cloud Security Alliance be brought into or shared across FINOS firms?

Raised by @abdullahgarcia

Date

Thursday 30 July 2020 - 10am EST / 3pm BST

Untracked attendees

Agenda

• Convene, roll call, welcome new people
• Review action items from previous meetings
• Approve previous meeting minutes - https://github.com/finos/cloud-service-certification/issues?q=is%3Aissue+is%3Aclosed+label%3Ameeting
• Review : We've had a kanban tidy :)) Cloud Service Certification Kanban Review
• Update : @alfredtommy - Service Approval Accelerator for GKE service in GCP #48
• Discussion : @danizheleva - Service Accelerator Template
  • There has been some confusion about the content we should place in the “Measure of Compliance” column. @alfredtommy is currently producing one of the templates so would be interested to see he has thought about this column. Maybe we just need to add more clarity to the template?
• Review : @mcleo-d - Add Your Questions Answered page to the CSC wiki #52
• Review : @mcleo-d - Transfer markdown content from Cloud Service Certification wiki tab on GitHub into a docs folder in the repo #50
• AOB, Q&A & Adjourn (5mins)

Previous Actions

• Edit project participants in Wiki #51
• Working group to review contributions to be setup: starting with GCP GKE - #48 (comment)

Action Items

• @abdullahgarcia to merge GCP GKE pull request with @alfredtommy following successful project review - #48
• @abdullahgarcia to merge #52 #50 wiki docs PRs with @mcleo-d
• @danizheleva - To continue with Deutsche Bank Service Accelerator Template for Azure Postgres, skipping over the “Measure of Compliance” column, with the intention to review with the group when ready.
• @danizheleva - Assess if “Measure of Compliance” column is relevant and remove from Service Accelerator Template if decided not needed with the group.
• @mcleo-d to work with @leefaus on adding compliance as code open policy agent demo to future CSC agenda with the intention of future Armoury collaboration.

WebEx info

Webex:
https://finos.webex.com/finos/j.php?MTID=me0b8e6061812f875505b0caaceac3321

Dial-in
US +1-415-655-0003 US Toll
UK +44-20319-88141 UK Toll
Access code: 662 732 581

Github Repo: https://github.com/finos/cloud-service-certification/
Project Wiki Page: https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/904626436/Cloud+Service+Certification+Project

Description

All cloud services that are contributed to Cloud Service Certification must include a standard set of artefacts for the contribution to be considered done.

This work item is to add a "New Cloud Service Request" template as markdown to the Cloud Service Certification ISSUE_TEMPLATE folder as highlighted below.

This means, for every request that's made for a new cloud service, the issue template will include the artefacts needed for the issue to be considered done when the item is picked contributed.

https://github.com/finos/cloud-service-certification/tree/master/.github/ISSUE_TEMPLATE

Work Items to Complete

• Create new Cloud_service.md file in https://github.com/finos/cloud-service-certification/tree/master/.github/ISSUE_TEMPLATE
• Create new Cloud_service.md markdown template using the MD format below

---
name: <emoji_here> <template title>
about: <description>

---

## <template title>

<description of services contribution requirements>

- [ ] <service contribution requirement>
- [ ] <service contribution requirement>
- [ ] <service contribution requirement>
- [ ] <service contribution requirement>
- [ ] <service contribution requirement>

• Add appropriate titles, text and contribution requirements to the MD template.
• Raise PR for Cloud_service.md add to https://github.com/finos/cloud-service-certification/tree/master/.github/ISSUE_TEMPLATE

Standard set of artefacts to include

The following lists the artefacts required with each service request for the associated service contribution to be completed.

These should be added to the template as the <service contribution requirement>

• Cloud Platform Target
• Service Name
• Service Approval Accelerator Definition
• Control Framework Definition
• Test Cases Created
• Deployment Scripts Created
• Gherkin Scripts Created

Description

During the Cloud Service Certification Meeting on 16th July 2020 #49 an action was taken to edit project participants in the CSC wiki. The following steps highlight activity needed to complete this request.

• Transfer markdown content from Cloud Service Certification wiki tab on GitHub into a docs folder in the repo #50
• Lead Maintainer to lead discussions on who should feature in wiki content as Maintainer.
• Lead Maintainer to lead discussions on who should feature in wiki as Contributor.
• Lead Maintainer to lead discussions on who should feature in wiki as Participant.
• Raise pull request on project-charter.md as required.

Date

Thursday 21 May 2020 - 10am EST

Untracked attendees

• Abdullah Garcia - JPMC

Agenda

• 1. Convene, roll call, welcome new people
• 2. Review action items from previous meetings
• 3. Coordinate with Deutsche Bank and CitiHub regarding bringing coordinated activity into the open
• 4. Report outcome of the following action item to the group (@git-hub-forwork1)
  • "Coordinate meeting with @git-hub-forwork1 to add more CSS project leads and maintainers to the project"
• 5. Share FINOS Project Collaboration on Github and Contribution Compliance Requirements with the group (@mcleo-d)
• 6. Group Question : Is the following activity something that should be conducted immediately or queued up for the future? (@git-hub-forwork1)
  • Coordinate with @jamilmina1 on Red Hat cloud service classifications and adding Kubernetes activity to the agenda
• 7. AOB, Q&A & Adjourn

Decisions Made

• Jason to liaise with Peter, Freddie and Daniela at DB to coordinate standard contribution structure across banks.
• DB ready to contribute and need to decide how this should happen with Jason and the JPMC team.
• This can be done amongst banking teams and then rolled out further to the group.
• Item 6 :
  • Team decision not to focus on Kubernetes
  • DB not using Kubernetes at the moment and is focusing on Azure.
  • JPMC have open sourced Kubernetes material and believe this shouldn't be an immediate focus for now. This is not the focus area of Cloud Service Certification.
  • Wipro not in a position to comment at the moment without team input. Will ask the team and revert.
  • Red Hat acknowledges that there is no demand for Kube in this group at the moment though Red Hat may continue to use Kube as an underlying implementation for other services.
• Item 4 :
  • Group Agreement DB will work with JPMC to formalise the structure, focus and direction of Cloud Service Certification as they draw closer to contributing into Cloud Service Certification.

Open Action Items

• Coordinate with Deutsche Bank and CitiHub regarding bringing coordinated activity into the open
• Coordinate with @jamilmina1 on Red Hat cloud service classifications and adding Kubernetes activity to the agenda
• Share FINOS Project Collaboration on Github and Contribution Compliance Requirements with the group.

Action Items

• CSC group to review, comment raise PRs on the following template ahead of the next project call
  • https://github.com/finos/cloud-service-certification/blob/master/templates/ServiceApprovalAcceleratorTemplate.md

Questions Raised

• DB asks how are JPMC organising their branching strategy in order to engage with Cloud Service Certification?
  • @brooklynrob notes JPMC have FINOS projects whitelisted for FINOS contribution.

WebEx info

Webex:
https://finos.webex.com/finos/j.php?MTID=me0b8e6061812f875505b0caaceac3321

Dial-in
US +1-415-655-0003 US Toll
UK +44-20319-88141 UK Toll
Access code: 662 732 581

Github Repo: https://github.com/finos-fdx/cloud-service-certification/
Project Wiki Page: https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/904626436/Cloud+Service+Certification+Project

First Iteration of Cloud Service Certification Roadmap

Description of Problem:

The Cloud Service Certification team requires a roadmap to be created that outlines a vision and direction for the OSS project.

This issue proposes the first iteration of roadmap as MVP to enable communication and the creation of the first team stories.

Potential Solutions:

• First roadmap page created on the Cloud Service Certification GitHub wiki.
• Roadmap content that describes ...
  • The problem and challenges the team are required to solve.
  • The vision, direction and team objectives for Q1 2020 (roadmap to adapt / grow as team moves forward).
  • Team roles, responsibilities and commitments needed to hit Q1 objectives.
• When the roadmap has been created, this should be placed on the next project meeting agenda for team feedback, amendments and agreements.

Description:

As part of our service definition for Azure, we have defined a number of common services which are shared by the native services used within application deployments. Examples of this are VNets, KeyVault, Log Analytics/Log Monitor, Private Endpoints, etc.

This issue is to clarify whether we need to document these as part of this initiative and how we should document them, for example we can include them as aspects of the other services (such as how KeyVault is used for Blob) or we can produce a stand-alone document defining these services.

Tasks:

• Discuss and clarify the need to document seperately or within the other services.
• (If necessary) Define new issues to perform the definition of these shared services

Date

Thursday 16 July 2020 - 10am EST / 3pm BST

Untracked attendees

Agenda

• Convene, roll call, welcome new people
• Approve previous meeting minutes - https://github.com/finos/cloud-service-certification/issues?q=is%3Aissue+is%3Aclosed+label%3Ameeting
• Review action items from previous meetings
• @alfredtommy and @fleadsom to chair review of Pull Request for Service Approval Accelerator for GKE service in GCP #48 to answer the following questions ...
  1. Are these specific requirements consistent for everybody?
  2. How do we agree on these in the future rather than everyone taking it away and checking with internal control functions?
• @git-hub-forwork1 & @peterrhysthomas - Now we are expanding, lets review our Open Volunteer Roles and ask Are they still relevant? and Do they need updating?
  • Compliance Framework Mapping Role
  • Cloud Service Certification Documentation Role
  • Codified Controls Development Role
  • BDD Test Case Development Role
  • Peer Reviewer Role
  • Cloud Service Effort Owner
• AOB, Q&A & Adjourn (5mins)
  • @danizheleva and @fleadsom representing Deutsche Bank and Cloud Service Certification at [virtual] Cloud London tonight. Register to join and support ... https://www.meetup.com/Cloud-London/events/271178947/

Previous Actions

• @fleadsom to resolve review changes from @peterrhysthomas on #46 (comment)
• Cloud Service Certification group invited to feedback asynchronously on PR #46
• @fleadsom to merge #46 with @abdullahgarcia once @peterrhysthomas review changes complete.
• @alfredtommy and @pudern to raise GCP PR related to #44 for asynchronous feedback prior to next group session.
• @anthonygtech to research Red Hat banking client who is willing to represent OpenShift in relation to moving #19 forward.
• Cloud Service Certification group invited to review @mcleo-d changes on #47 prior to PR merge.

Action Items

• Edit project participants in Wiki #51
• Working group to review contributions to be setup: starting with GCP GKE - #48 (comment)

WebEx info

Webex:
https://finos.webex.com/finos/j.php?MTID=me0b8e6061812f875505b0caaceac3321

Dial-in
US +1-415-655-0003 US Toll
UK +44-20319-88141 UK Toll
Access code: 662 732 581

Github Repo: https://github.com/finos/cloud-service-certification/
Project Wiki Page: https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/904626436/Cloud+Service+Certification+Project

Date

Thursday 2 July 2020 - 10am EST / 3pm BST

Untracked attendees

Agenda

• Convene, roll call, welcome new people
• Review action items from previous meetings... See Below
• Approve previous meeting minutes - https://github.com/finos/cloud-service-certification/issues?q=is%3Aissue+is%3Aclosed+label%3Ameeting
• @peterrhysthomas / @danizheleva Deutsche Bank update of changes made to make OSS delivery pipeline into CSC possible.
• @fleadsom walkthrough of issue #23 and live review and merge pull request #46 - 'Add "New Cloud Service Request" markdown template to CSC ISSUE_TEMPLATE folder'.
• @alfredtommy feedback and progress moving forward with #44 - "Delivery of Google Kubernetes Engine (GKE) Service for GCP including Security Command Center"
• @anthonygtech to resurface #19 with the objective of determining the priority and work order with the group.
• RedShift as gold service example to project README.md - @mcleo-d PR - #47
• AOB, Q&A & Adjourn (5mins)

Previous Actions

• @pudern and @alfredtommy to Create and Lead CSC Issue that introduces GCP Security Command Center Service to CSC project.
  • Focus on a single GCP service use case that's similar to current AWS and Azure focus.
  • GCP Security Command Center Service is the answer, but what is the question?
  • Services contributed to CSC should be able to run anywhere as reusable artefacts.
• Add paragraph to templates/ServiceApprovalAcceleratorTemplate.md that explains RedShift technical examples - Commit Completed by @git-hub-forwork1 on call 👍
• Add RedShift as gold service example to project README.md - @mcleo-d PR - #47
• @iantivey to review https://github.com/finos/cloud-service-certification/blob/master/templates/ServiceApprovalAcceleratorTemplate.md and feedback into the comments of this issue if required - @mattgallcitihub to coordinate activity

Action Items

• @fleadsom to resolve review changes from @peterrhysthomas on #46 (comment)
• Cloud Service Certification group invited to feedback asynchronously on PR #46
• @fleadsom to merge #46 with @abdullahgarcia once @peterrhysthomas review changes complete.
• @alfredtommy and @pudern to raise GCP PR related to #44 for asynchronous feedback prior to next group session.
• @anthonygtech to research Red Hat banking client who is willing to represent OpenShift in relation to moving #19 forward.
• Cloud Service Certification group invited to review @mcleo-d changes on #47 prior to PR merge.

WebEx info

Webex:
https://finos.webex.com/finos/j.php?MTID=me0b8e6061812f875505b0caaceac3321

Dial-in
US +1-415-655-0003 US Toll
UK +44-20319-88141 UK Toll
Access code: 662 732 581

Github Repo: https://github.com/finos/cloud-service-certification/
Project Wiki Page: https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/904626436/Cloud+Service+Certification+Project

As a contributor to the Cloud Service Certification project I will convert the Cloud Security Alliance CSA_CCM_v3.0 spreadsheet to markdown and add to the CSC GitHub wiki as a new independent page

Description of Problem:

To keep the CSC community updated on cloud controls, the Cloud Security Alliance CSA_CCM_v3.0 spreadsheet should be added to the CSC GitHub wiki.

Potential Solutions:

• Download Cloud Security Alliance CSA_CCM_v3.0 spreadsheet
  • https://downloads.cloudsecurityalliance.org/initiatives/ccm/CSA_CCM_v3.0.xlsx

• Clone the CSC wiki local - https://github.com/finos/cloud-service-certification.wiki.git
• Create a new page called "Cloud Controls Matrix Version 3.0"

• Convert the Cloud Security Alliance CSA_CCM_v3.0 spreadsheet to markdown using Pandoc.
  • https://github.com/finos/cloud-service-certification#converting-docx-to-markdown

• Add link to Cloud Security Alliance CSA_CCM_v3.0 spreadsheet to markdown
  • https://downloads.cloudsecurityalliance.org/initiatives/ccm/CSA_CCM_v3.0.xlsx
• Push new "Cloud Controls Matrix Version 3.0" page to CSC wiki

Description

This GitHub Issue is an asynchronous discussion and potential vote to help instruct the Cloud Service Certification project on the next set of cloud services to be focused upon by the team.

During the Cloud Service Certification meeting on 10th September 2020 #61 the following services were called out and suggested by the group.

1. Kubernetes - #64 (Epic)
2. PostgreSQL - #80 (Epic)

• Redis - Pending prioritisation. Subject to team member availability.
• Prometheus
• Grafana
• MongoDB
• MySQL

Please continue the suggestions and discussion in the comments below 👇

Date

Thursday 4th June 2020 - 10am EST / 3pm BST

Untracked attendees

• Madhuri Racherla, Morgan Stanley
• Ricardo Oneda, Itau
• Eric Tice, Wipro

Agenda

• Convene, roll call, welcome new people
• Review action items from previous meetings
• Update on Searce representing Google Cloud Platform contributions from meeting between @git-hub-forwork1, @peterrhysthomas, @pudern, @alfredtommy and @mcleo-d
• Group discussion, feedback and review of the Service Approval Accelerator Template following CSC action during #34
  • @git-hub-forwork1 chairing Amazon Web Services
  • @peterrhysthomas chairing Microsoft Azure
    • #35 (comment)
  • @alfredtommy chairing Google Cloud Platform
• AOB, Q&A & Adjourn

Open Action Items

• CSC group to review, comment raise PRs on the following template ahead of the next project call
  • https://github.com/finos/cloud-service-certification/blob/master/templates/ServiceApprovalAcceleratorTemplate.md

Actions

• @danizheleva and @alfredtommy to incorporate Service Approval Accelerator Template suggestions in #35 (comment) into https://github.com/finos/cloud-service-certification/blob/master/templates/ServiceApprovalAcceleratorTemplate.md with @git-hub-forwork1 via pull request - #37
• @git-hub-forwork1 and @peterrhysthomas to coordinate tidying https://github.com/finos/cloud-service-certification/blob/master/templates/ServiceApprovalAcceleratorTemplate.md to remove technology references to enable white labelling for multiple service types - #38
• @iantivey to review https://github.com/finos/cloud-service-certification/blob/master/templates/ServiceApprovalAcceleratorTemplate.md and feedback into the comments of this issue if required.
• @mcleo-d to review CSC meeting and capture decisions / actions and add to this issue.

Notes

• Help Wanted by @pudern for Google Cloud Platform priorities.
• Request by @git-hub-forwork1 for CSC group to start writing contribution stories in CSC GitHub Issues.
• Request by @git-hub-forwork1 for CSC members to collaborate on - New AWS Cloud Service request AWS EventBridge - #36
• Members of CSC are welcome to collaborate across all cloud platforms as help with progression and learning experience - @git-hub-forwork1

WebEx info

Webex:
https://finos.webex.com/finos/j.php?MTID=me0b8e6061812f875505b0caaceac3321

Dial-in
US +1-415-655-0003 US Toll
UK +44-20319-88141 UK Toll
Access code: 662 732 581

Github Repo: https://github.com/finos/cloud-service-certification/
Project Wiki Page: https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/904626436/Cloud+Service+Certification+Project

Date

Thursday 07 May 2020 - 10am EST

Untracked attendees

• ...

Agenda

• Convene, roll call, welcome new people (5 min) - @git-hub-forwork1
• Review action items from previous meetings (see above) (5 min) - @git-hub-forwork1
• Cloud Service Certification Kanban Review (20 min) - @git-hub-forwork1
  • Let's review the CSC kanban to make sure the right items are in play and reflected correctly.
  • Action Items
    • As recorded in this GitHub Issue
  • In Progress
    • #16
    • #18
    • #12
  • Prioritised
    • finos/community#19
      • Relates to : #11
    • #13
    • #23
• CSC project team reviewing code contributions and pull requests (15 min) - @git-hub-forwork1
  • It's been raised by the project we need a method of review contributions and pull requests that equally spans all project members. This item has been added to discuss next steps for creating a group of moderators.
• Cloud Service Certification Group Review of CitiHub Compliance as Code GitHub Project (10 min)
  • Freedie Leadsom, Daniella Zheleva and Peter Thomas from Deutsche Bank feedback following CitiHub project review with Matt Gall and Ian Tivey from CitiHub - Action taken at 2020-04-23 Cloud Service Certification Project Meeting
  • https://github.com/citihub/compliance-as-code-whitepaper
• AOB & adjourn (5 min) - @git-hub-forwork1

Decisions Made

• Decision 1
• Decision 2
• ...

Action Items

• Ian Tivey to talk to CitiHub clients about joining Cloud Service Certification and their use of Kubernetes
• James McLeod to introduce Freddie Leadsom to the FINOS Open Source Readiness Project
• James McLeod to coordinate - Peter Thomas suggested connecting with Matt Gall to align methodologies, as the CitiHub team are advising a different area of Deutsche Bank.
• James McLeod to coordinate - Peter Thomas would like suggestions on what would be useful to contribute to FINOS.
• James McLeod to coordinate - Jamil Mina suggests Red Hat conduct a session where the Red Hat team can help answer how to commoditise open source software.

WebEx info

Webex:
https://finos.webex.com/finos/j.php?MTID=me0b8e6061812f875505b0caaceac3321

Dial-in
+1-415-655-0003 US Toll
+44-20319-88141 UK Toll
Access code: 662 732 581

Github Repo: https://github.com/finos-fdx/cloud-service-certification/
Project Wiki Page: https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/904626436/Cloud+Service+Certification+Project

@finos/fdx-cloud-cert and @git-hub-forwork1 (lol), related to finos/community#5 , what is our larger OSSF strategy? Meeting? Booth? General session?

Figure we can get the conversation started here.

As a member of the Cloud Service Certification project I will add/edit a wiki page by pull request to demonstrate community collaboration

Description of Problem:

In order for documentation contribution to succeed into the CSC GitHub wiki we need to prove pull requests can be raised against wiki documentation by cloning the following link ...

https://github.com/finos/cloud-service-certification.wiki.git

Potential Solutions:

• Clone the wiki using the wiki repo link above
• Add your name and details to the Project Participants table on the wiki homepage
• Raise a pull request for the page edit to see if the change is possible against current repo settings
• Report findings back to the comments / working group meeting on 16th January 2020
• Educate the group where applicable

First release of Cloud Service Certification Artefacts

Description of Problem:

To accelerate the Cloud Service Certification OSS team, the first swathe of Cloud Service Certification artefacts should be contributed to the project.

Potential Solutions:

The contributed artefacts should be items that clearly demonstrate the direction of the project, such as cookbooks, infrastructure as code, BDD scripts and other items of value.

The artefacts should be tested and their functionality should be utilised by the community to allow team members to replicate, demonstrate and extend their functionality.

When the artefacts have been added, an agenda item should be added to the team group call to review, hand over and invite group feedback.

Feature Request

Description of Problem:

When writing tests for IaC solutions, I want to have the ability to use standard language conventions that already exist in other languages so I can reuse my knowledge and best practices as part of the solution.

Potential Solutions:

Using Pulumi would allow us to use common conventions that we already know with languages like Typescript and Go with Gherkin and BDD. There are already existing documented approaches to using industry standard frameworks with Pulumi like Typescript and Mocha.

This is an alternative to using specific testing frameworks that are IaC implementation specific and require learning a new framework.

Description

Define the Service Approval Accelerator for Kubernetes using the Service Approval Accelerator Template for reference.

Tasks

• Write and commit an Accelerator as azure/kubernetes.md

Red Hat is committed to enable hybrid/multi-cloud. One aspect of that is compliance as code that works on prem and in multiple public clouds. Any feedback on the following frameworks and examples are appreciated.

OpenSCAP can be used to deliver compliance as code for technical controls:

https://www.open-scap.org/

https://www.open-scap.org/features/scap-components/

Red Hat's SCAP content is stored in the Compliance as Code github repository.
Directory of available content: https://github.com/ComplianceAsCode/content
Red Hat has SCAP content for OpenShift 3. That Red Hat SCAP content is inspired by the CIS Kubernetes v1.2 benchmark, and adjusted as needed to be OpenShift-specific. (You can download CIS benchmarks here: https://www.cisecurity.org/cis-benchmarks/)

1. You can find the list of automated checks available for OpenShift 3 here:
   https://github.com/ComplianceAsCode/content/tree/master/ocp3/profiles

2. One of the recommendations in the CIS Kubernetes benchmark is to ensure that the etcd datastore is encrypted. You can find the OVAL code to validate that the OpenShift etcd datastore is encrypted below:
   https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/api-server/api_server_encryption_provider_cipher/oval/shared.xml

Finally, if you have access to an OpenShift cluster and you'd like to try out our SCAP content for OpenShift 3, you can find the content here: https://nvd.nist.gov/ncp/checklist/866
and a cheat sheet for using the scanner and content is attached.

Also, if you haven't done so already, check out the Cloud Security Alliance Cloud Controls Matrix. It provides a terrific view of the overlapping controls across many regulatory and security frameworks. You can download it here:
https://cloudsecurityalliance.org/research/cloud-controls-matrix/

We'll be working next on building SCAP content for NIST 800-53 controls for OpenShift 4.

Date

Thursday 10 September 2020 - 10am EST / 3pm BST

Untracked attendees

Agenda

• Convene, roll call, welcome new people
• Approve previous meeting minutes - https://github.com/finos/cloud-service-certification/issues?q=is%3Aissue+is%3Aclosed+label%3Ameeting
• Review action items from previous meetings
• @danizheleva - Pull request : Service Accelerator Template completed for PostgreSQL on Microsoft Azure #60
• @alfredtommy and @abdullahgarcia - GCP GKE #48 / AWS Kubernetes update and next steps
• Cloud Service Certification Kanban Review
• AOB, Q&A & Adjourn

Previous Action Items

• Infographic, FAQ and intro documentation #55, interested parties to comment on issue thread and a follow up session to be arranged
• CodeThink to investigate first contribution options - possible Kubernetes for AWS or Azure or extension of GCP content
• Team to consider options for OSS Forum, details to be provided by @toshaellison
• Discussion at next session regarding linking/referencing code and documentation outside of Finos structure, eg Redhat OSS or Citihub OSS

Action Items

• @peterrhysthomas to create an Epic in CSC GitHub Issues that represents the delivery and acceptance criteria of the Kubernetes service across all supported cloud services
• @alfredtommy to create an issue in GitHub that represents the technical delivery of the Kubernetes service for GCP to supports the pull request that's being raised
• @abdullahgarcia to create an issue in GitHub that represents the creation of the Service Accelerator Template for the Kubernetes service in AWS
• @leefaus to create a GitHub issue that represents the integration of Pulumi for BDD test purposes against the next appropriate Kubernetes cloud service that's delivered by the team cc @alfredtommy
• @mcleo-d to create a 1 hour code review session with @danizheleva for the CSC group to review #60
• @mcleo-d to create a GitHub Issue to support the offline prioritisation of the next CSC services after Kubernetes

WebEx info

Webex:
https://finos.webex.com/finos/j.php?MTID=me0b8e6061812f875505b0caaceac3321

Dial-in
US +1-415-655-0003 US Toll
UK +44-20319-88141 UK Toll
Access code: 662 732 581

Github Repo: https://github.com/finos/cloud-service-certification/
Project Wiki Page: https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/904626436/Cloud+Service+Certification+Project

Currently, documents are written in Markdown. They use a lot of tables, but Markdown table syntax is quite restrictive and doesn't let you have any multi-paragraph or block elements in a table cell. To work around this, HTML is used, which make the documents harder to read/edit in plain text.

GitHub can render a few different markup languages, and one of these is Asciidoc (with Asciidoctor; extension .adoc). This supports quite flexible table syntax, as well as automatic tables of contents and other more sophisticated document features, so might be worth evaluating.

It's been noticed by Cloud Service Certification team members that a Google Group exists but is not being publicly advertised or is not easily found.

To mitigate this issue, a link to the Cloud Service Certification Google Group should be added to the GitHub wiki so it can be found close to the project:

https://groups.google.com/a/finos.org/forum/#!topic/fdx-cloud-service-certification/1RPUvv18ksA

GKE Terraform Script

• Cloud Platform Target: GCP

• The directory in which the Cloud Service will reside (/gcp/gke).

• The name of the service: IaaC (Terraform) for GKE

Description: Tested and validated terraform script(s) for deployment of GKE cluster and node pools as per security and networking best practices.

Date

Thursday 19 November 2020 - 10am EST / 3pm GMT

Untracked attendees

Agenda

• Convene, roll call, welcome new people
• Approve previous meeting minutes - https://github.com/finos/cloud-service-certification/issues?q=is%3Aissue+is%3Aclosed+label%3Ameeting
• Cloud Service Certification Project Kanban Review
• @eddie-knight to form an opinion and report the viability of Pulumi and BDD Tests #62 including @leefaus & @alfredtommy
• Portable Applications Across the Cloud and Governing Regulation Policy with @alexmolev, @natishalom and Cloudify
• AOB, Q&A & Adjourn (5mins)

Decisions Made

• @adamj-codethink update: @tmewett is unable to work on CSC for the time being and has introduced Tristan to the group. Welcome Tristan and thank you @tmewett for the work you've done and we hope to see you soon 😀 👍
• @adamj-codethink to ask @tmewett on whether @alfredtommy's feedback was incorporated into #72 and update the comments appropriately. @alfredtommy's feedback is found here ... #72 (review)

Action Items

• @mcleo-d to arrange a PR review of #76 with @abdullahgarcia and the CSC group. This is confirmed for Monday 30th November @11am ET / 4pm GMT on the FINOS Community WebEx. All are invited to join.
• @mcleo-d to arrange a CIS benchmarks and BDD meeting following a CSC project meeting discussion. See CSC issue #84 for updates. Meeting scheduled for Wednesday 25th November @11:30am ET / 4:30pm GMT on the FINOS Community WebEx. All are invited to join.
• @leefaus to rename #62 to Functional versus Declarative BDD Testing Examples and produce examples of Functional versus Declarative BDD Testing to share with the CSC project for wider input and feedback.

WebEx info

Webex:
https://finos.webex.com/finos/j.php?MTID=me0b8e6061812f875505b0caaceac3321

Dial-in
US +1-415-655-0003 US Toll
UK +44-20319-88141 UK Toll
Access code: 662 732 581

Github Repo: https://github.com/finos/cloud-service-certification/
Project Wiki Page: https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/904626436/Cloud+Service+Certification+Project

Date

Thursday 22 October 2020 - 10am EST / 3pm BST

Untracked attendees

Agenda

• Convene, roll call, welcome new people
• Approve previous meeting minutes - https://github.com/finos/cloud-service-certification/issues?q=is%3Aissue+is%3Aclosed+label%3Ameeting
• Cloud Service Certification Project Kanban Review ... including ...
  • Question : Can we merge Service Accelerator Template for PostgreSQL on Microsoft Azure #60 ..? @danizheleva and @peterrhysthomas
  • New PR Raised : EKS by @abdullahgarcia #76
  • Feedback in Comments : Add Azure Kubernetes Service Approval Accelerator #72 (review) @alfredtommy and @tmewett
  • Next Steps : Pull request for GKE TF scripts #73 - @mcleo-d and @alfredtommy - Proposed group review Wednesday 4th November @ 2pm UK / 10am ET - https://finos.webex.com/meet/community
• Meeting Moved : 5th November Now @ 12pm ET / 5pm UK #78
• AOB, Q&A & Adjourn (5mins)

Actions

• @mcleo-d and @alfredtommy to organise pull request review of GKE TF scripts #73 for Wednesday 4th November @ 2pm UK / 9am ET whilst inviting the wider community
• @mcleo-d to rename PR #76 from EKS to Service Accelerator Template for EKS (Kubernetes) on Amazon AWS
• @eddie-knight to form an opinion and report the viability of Pulumi and BDD Tests #62 including @leefaus & @alfredtommy
• @tmewett to move forward with Consider Asciidoc for document markup #70 by combining with #72 if viable and appropriate.

WebEx info

Webex:
https://finos.webex.com/finos/j.php?MTID=me0b8e6061812f875505b0caaceac3321

Dial-in
US +1-415-655-0003 US Toll
UK +44-20319-88141 UK Toll
Access code: 662 732 581

Github Repo: https://github.com/finos/cloud-service-certification/
Project Wiki Page: https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/904626436/Cloud+Service+Certification+Project

Description.

To come ...

For : Freddie from DB

Completed Issues and Merged Pull Requests

• add once complete

Current Work Items

• Define the Service Approval Accelerator for Kubernetes on Azure #68 - @tmewett and @TLATER
• Create scripts for deployment of Kubernetes on Azure cluster as defined in Service Approval Accelerator template - @eddie-knight and @TLATER
• Testing and validation of above mentioned scripts
• Raise PR request accordingly

Description

Define the Control Framework for PostgreSQL using the CSC Control Spreadsheet for reference.

Tasks

• Create an azure\postgresql folder structure in the Cloud Services Certification project root.
• Define the Control Framework for PostgreSQL as markdown.
• Commit Control Framework for PostgreSQL to azure\postgresql folder .
• Raise PR to project team for review and merge.

CSC Control Spreadsheet Template

The following is the CSC Control Spreadsheet Template on GitHub.

https://github.com/finos/cloud-service-certification/blob/master/templates/CSC%20control%20spreadsheet.xlsx

Description:

Define the Service Approval Accelerator for Blob Storage using the Service Approval Accelerator Template for reference.

Tasks:

• Create an azure\blob folder structure in the Cloud Services Certification project root.
• Define the Service Approval Accelerator for Blob Storage as markdown.
• Commit Service Approval Accelerator for Blob Storage to azure\blob folder .
• Raise PR to project team for review and merge.

Building Artefacts for AWS EventBridge

I would like input from interested parties around AWS EventBridge for the next cloud service certification artefacts for AWS.

I am providing some links to the community to review and get educated on this service if they are not already familiar.

https://aws.amazon.com/eventbridge/
https://www.youtube.com/watch?v=28B4L1fnnGM
https://www.serverless.com/blog/eventbridge-use-cases-and-tutorial/

These should provide enough high level and detail to get you started towards understanding this service and allow for collaboration on building artefacts for the Service Certification.

The last link provides some specific detail about use cases so that it is clear this managed service is basically Cloudwatch under the covers with cron functions and a rules engine for multiple sources and destinations.

It's been reported that on-boarding into the Cloud Service Certification working group can be confusing and disjointed.

For example, if you Google "FINOS Cloud Certification" you will most likely land on the GitHub page:
https://github.com/finos/cloud-service-certification

However, much of the important background information is found on the following Confluence page which the GitHub project doesn't link to:
https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/904626436/Cloud+Service+Certification+Project

Discovering relevant information about the project, meetings, mailing lists, locating the code and wiki can be a challenge.

The potential resolution to this issue is to migrate related group information into the GitHub Cloud Service Certification repository and make sure all references and links point to GitHub.

This makes sure all related project information is together in a single place and is also good for Google which tends to point to the GitHub repo when searching the project.

It would be good to get further comments and thoughts from the Cloud Service Certification group before a decision to action is made.

Description

This story is to integrate Service Approval Accelerator Template feedback as supplied by @danizheleva and @alfredtommy during Cloud Service Certification meeting #35

Feedback supplied by @danizheleva

#35 (comment)

We have done some work to review Service Approval Accelerator Template. Since we cannot raise a PR with proposed structure change, I am posting on here for visibility for the group.

Overall there was a good overlap with the information in the template and the categories we have looked at for Azure services. Some changes could perhaps be to add some extra detail to the table in the document in the following way:

1. Proposed structure of template:
   • Identity and Access Management
   • Authentication
   • Authorization
   • RBAC
   • Privileged Access Management
2. Encryption & Secure Data Management
   • Encryption in transit
   • Encryption at rest
   • Certificate and Key Management
   • BYOK/HYOK Management
3. Network Security
   • Endpoint localisation
   • IP Firewall rules
   • Data exfiltration prevention
4. Logging and Monitoring
   • Security monitoring & Audit
   • Service Monitoring
   • Alert and incident management
5. Resilience and Recovery
   • Data resilience (back ups/ replication)
   • Compute high availability
6. External Certification (?) <- unsure what is meant by this
7. Underlying OS (?) <- unsure what is meant by this
8. CSP access
9. Dependent Services

Feedback supplied by @alfredtommy

#35 (comment)

My suggestion for additional categories in the template:

1. DLP (covered by Daniela as data exfiltration) -> under network security or encryption/data masking
2. CSP support for latest secure/stable version of software -> independent category

Success Criteria

• @danizheleva items are integrated into Service Approval Accelerator Template with a review requested to @git-hub-forwork1 / @peterrhysthomas during pull request process.
• @alfredtommy items are integrated into Service Approval Accelerator Template with a review requested to @git-hub-forwork1 / @peterrhysthomas during pull request process.
• Accepted changes added to CSC agenda by @git-hub-forwork1 / @peterrhysthomas to feed back during next CSC group meeting.

Date

Thursday 13 August 2020 - 10am EST / 3pm BST

Untracked attendees

Agenda

• Convene, roll call, welcome new people
• Review action items from previous meetings
• Approve previous meeting minutes - https://github.com/finos/cloud-service-certification/issues?q=is%3Aissue+is%3Aclosed+label%3Ameeting
• @mcleo-d "Nomination of Peter Thomas from Deutsche Bank as Cloud Service Certification Lead Maintainer" #54
• @mcleo-d Cloud Service Certification Service Contribution Infographic #55
• @mcleo-d CSC wiki update that unblocks Edit project participants in Wiki #51 from PRs #52 #50
• Cloud Service Certification Kanban Review
• AOB, Q&A & Adjourn (5mins)

Decisions Made

• Decision 1
• Decision 2
• ...

Previous Action Items

• @abdullahgarcia to merge GCP GKE pull request with @alfredtommy following successful project review - #48
• @abdullahgarcia to merge #52 #50 wiki docs PRs with @mcleo-d
• @danizheleva - To continue with Deutsche Bank Service Accelerator Template for Azure Postgres, skipping over the “Measure of Compliance” column, with the intention to review with the group when ready.
• @danizheleva - Assess if “Measure of Compliance” column is relevant and remove from Service Accelerator Template if decided not needed with the group.
• @mcleo-d to work with @leefaus on adding compliance as code open policy agent demo to future CSC agenda with the intention of future Armoury collaboration - #53 (comment)

WebEx info

Webex:
https://finos.webex.com/finos/j.php?MTID=me0b8e6061812f875505b0caaceac3321

Dial-in
US +1-415-655-0003 US Toll
UK +44-20319-88141 UK Toll
Access code: 662 732 581

Github Repo: https://github.com/finos/cloud-service-certification/
Project Wiki Page: https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/904626436/Cloud+Service+Certification+Project

Date

Thursday 18th June 2020 - 10am EST / 3pm BST

Untracked attendees

Agenda

• Convene, roll call, welcome new people
• Approve previous meeting minutes - https://github.com/finos/cloud-service-certification/issues?q=is%3Aissue+is%3Aclosed+label%3Ameeting
• Review action items from previous meetings
• Pull Request Review : Updating template table to include new categories and extra detail #39 - @danizheleva 🎉 👏
• Pull Request Approval : Group to approve @mcleo-d changes to meeting template - #43
• @alfredtommy to introduce the Searce Security Command Center Service team for GCP to the group - (5 mins)
• Question : What are the contributions steps and expectations for submitting new service Infrastructure as Code to CSC for AWS, Azure and GCP? - @git-hub-forwork1 and @peterrhysthomas to answer.
• Requests Reminder
  • Help Wanted by @pudern for Google Cloud Platform priorities.
  • Request by @git-hub-forwork1 for CSC group to start writing contribution stories in CSC GitHub Issues.
  • Request by @git-hub-forwork1 for CSC members to collaborate on - New AWS Cloud Service request AWS EventBridge - #36
• AOB, Q&A & Adjourn (5mins)

Previous Actions #35

• @danizheleva and @alfredtommy to incorporate Service Approval Accelerator Template suggestions in #35 (comment) into https://github.com/finos/cloud-service-certification/blob/master/templates/ServiceApprovalAcceleratorTemplate.md with @git-hub-forwork1 via pull request - #37
• @git-hub-forwork1 and @peterrhysthomas to coordinate tidying https://github.com/finos/cloud-service-certification/blob/master/templates/ServiceApprovalAcceleratorTemplate.md to remove technology references to enable white labelling for multiple service types - #38
• @mcleo-d to review CSC meeting and capture decisions / actions and add to this issue.

Action Items

• @pudern and @alfredtommy to Create and Lead CSC Issue that introduces GCP Security Command Center Service to CSC project.
  • Focus on a single GCP service use case that's similar to current AWS and Azure focus.
  • GCP Security Command Center Service is the answer, but what is the question?
  • Services contributed to CSC should be able to run anywhere as reusable artefacts.
• Add paragraph to templates/ServiceApprovalAcceleratorTemplate.md that explains RedShift technical examples - Commit Completed by @git-hub-forwork1 on call 👍
• Add RedShift as gold service example to project README.md - @mcleo-d
• @iantivey to review https://github.com/finos/cloud-service-certification/blob/master/templates/ServiceApprovalAcceleratorTemplate.md and feedback into the comments of this issue if required - @mattgallcitihub to coordinate activity

WebEx info

Webex:
https://finos.webex.com/finos/j.php?MTID=me0b8e6061812f875505b0caaceac3321

Dial-in
US +1-415-655-0003 US Toll
UK +44-20319-88141 UK Toll
Access code: 662 732 581

Github Repo: https://github.com/finos/cloud-service-certification/
Project Wiki Page: https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/904626436/Cloud+Service+Certification+Project

Date

Thursday 8 October 2020 - 10am EST / 3pm BST

Untracked attendees

Agenda

• Convene, roll call, welcome new people
• Approve previous meeting minutes - https://github.com/finos/cloud-service-certification/issues?q=is%3Aissue+is%3Aclosed+label%3Ameeting
• Cloud Service Certification Project Kanban Review
  • @danizheleva : PostgreSQL PR Update - Service Accelerator Template for PostgreSQL on Microsoft Azure #60 (comment) cc @njwilliams , @abdullahgarcia
  • @alfredtommy : New GCP GKE PR - Pull request for GKE TF scripts #73
  • @tmewett : New Azure AKS PR - Add Azure Kubernetes Service Approval Accelerator #72
  • @mcleo-d : Update Kanban Review Agenda Item and Update Untracked Attendees Table #74
• @mindthegab : EDMC Cloud Data Management Workgroup and Cloud Service Certification opportunity
• AOB, Q&A & Adjourn (5mins)

Outstanding Requests

• @peterrhysthomas : Team to consider options for OSS Forum, details to be provided by @toshaellison

WebEx info

Webex:
https://finos.webex.com/finos/j.php?MTID=me0b8e6061812f875505b0caaceac3321

Dial-in
US +1-415-655-0003 US Toll
UK +44-20319-88141 UK Toll
Access code: 662 732 581

Github Repo: https://github.com/finos/cloud-service-certification/
Project Wiki Page: https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/904626436/Cloud+Service+Certification+Project

Add as GitHub issues the prerequisites and dependencies needed for adding additional cloud services to project

Description of Problem:

Project prerequisites and dependencies to be added to GitHub issues for the community to pick up and contribute in preparation for the addition of more cloud services contributions. So ...

In the future, when Cloud Service Certification collaborators join the project, they know what needs to be contributed so the project team can move forward with adding additional cloud services.

Potential Solutions:

Add top three contributions needed from the community to GitHub issues that allow the additional cloud services to move forward.

Description

@pudern and @alfredtommy from Searce to create, lead and deliver a Cloud Service Certification service that introduces and demonstrates GCP Security Command Center Service to CSC.

Success Criteria

• Create an issue that describes introducing and demonstrating the GCP Security Command Center Service to the CSC project.
• Decide on a single GCP service use case that's similar to current CSC AWS and Azure focus.
• Contribution to focus on Google Kubernetes Engine (GKE) Service - https://cloud.google.com/kubernetes-engine/docs/concepts/kubernetes-engine-overview
• Demonstrate through contributed code, configuration and integration examples how Security Command Center Service capabilities deliver CSC security and compliance requirements.
• Demonstrate through code contribution how GCP services contributed to CSC run anywhere as reusable artefacts.
• Raise a pull request for the first GCP service contribution into Cloud Service Certification that also includes ServiceApprovalAcceleratorTemplate.md 🎉

New Cloud Service Request

A new cloud service must follow the standard completion template. The 'definition of done' of a cloud service request is defined as follows:

• Cloud Platform Target - Google Cloud Platform

The directory in which the Cloud Service will reside (/<cloud_platform>/<service_name>).

• Service Name - Delivery of Google Kubernetes Engine (GKE) Service for GCP including Security Command Center

The name of the service.

• Service Approval Accelerator Definition - Relates to PR #48

The written definition of a compliant service, including security, regulatory and quality standards for that service.

• Define Control Framework with Test Case definition

Test cases to be created to prove the integrity of the given service. These tests will form the service controls.

• Deployment Scripts Created

Terraform or YAML scripts to provision resources in keeping with the control framework.

• Gherkin Scripts Created

BDD feature scripts that map the defined test cases onto the control framework.

Date

Thursday 27th Aug 2020 - 10am EST / 3pm BST

Untracked attendees

• Fullname, Affiliation, (optional) GitHub username
• ...

Agenda

• Convene, roll call, welcome new people

• Review action items from previous meetings

• Approve previous meeting minutes - #56

• Cloud Service Certification Kanban Review

• Discussion of infographic, FAQ and intro documentation #55

• Discussion on referencing documentation/code in other repositories

• Discussion on OSS Forum

• Discussion on initial contributions from CodeThink

• AOB, Q&A & Adjourn (5mins)

Action Items

• Infographic, FAQ and intro documentation #55, interested parties to comment on issue thread and a follow up session to be arranged
• CodeThink to investigate first contribution options - possible Kubernetes for AWS or Azure or extension of GCP content
• Team to consider options for OSS Forum, details to be provided by Tosha
• Discussion at next session regarding linking/referencing code and documentation outside of Finos structure, eg Redhat OSS or Citihub OSS

Previous Action Items

• @danizheleva - To continue with Deutsche Bank Service Accelerator Template for Azure Postgres, skipping over the “Measure of Compliance” column, with the intention to review with the group when ready.
• @danizheleva - Assess if “Measure of Compliance” column is relevant and remove from Service Accelerator Template if decided not needed with the group.
• ...

WebEx info

Webex:
https://finos.webex.com/finos/j.php?MTID=me0b8e6061812f875505b0caaceac3321

Dial-in
US +1-415-655-0003 US Toll
UK +44-20319-88141 UK Toll
Access code: 662 732 581

Github Repo: https://github.com/finos/cloud-service-certification/
Project Wiki Page: https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/904626436/Cloud+Service+Certification+Project

Date

Thursday 24 September 2020 - 10am EST / 3pm BST

Untracked attendees

Agenda

• Convene, roll call, welcome new people
• Approve previous meeting minutes - https://github.com/finos/cloud-service-certification/issues?q=is%3Aissue+is%3Aclosed+label%3Ameeting
• Review action items from previous meetings
• Group Review Feedback: @danizheleva - Service Accelerator Template for PostgreSQL on Microsoft Azure #60 (comment)
• Azure Kubernetes Service Accelerator: @tmewett - Define the Service Approval Accelerator for Kubernetes on Azure - #68
• New Feature Request: @tmewett - Consider Asciidoc for document markup - #70
• Cloud Service Certification Kanban Review
• AOB, Q&A & Adjourn (5mins)

Previous Action Items

• @peterrhysthomas to create an Epic in CSC GitHub Issues that represents the delivery and acceptance criteria of the Kubernetes service across all supported cloud services - #64
• @alfredtommy to create an issue in GitHub that represents the technical delivery of the Kubernetes service for GCP to supports the pull request that's being raised - #65
• @abdullahgarcia to create an issue in GitHub that represents the creation of the Service Accelerator Template for the Kubernetes service in AWS - finos/terraform-aws-cfi-eks#5
• @leefaus to create a GitHub issue that represents the integration of Pulumi for BDD test purposes against the next appropriate Kubernetes cloud service that's delivered by the team cc @alfredtommy - #62
• @mcleo-d to create a 1 hour code review session with @danizheleva for the CSC group to review #60
• @mcleo-d to create a GitHub Issue to support the offline prioritisation of the next CSC services after Kubernetes - #63

Action Items

• Action 1
• Action 2
• ...

WebEx info

Webex:
https://finos.webex.com/finos/j.php?MTID=me0b8e6061812f875505b0caaceac3321

Dial-in
US +1-415-655-0003 US Toll
UK +44-20319-88141 UK Toll
Access code: 662 732 581

Github Repo: https://github.com/finos/cloud-service-certification/
Project Wiki Page: https://finosfoundation.atlassian.net/wiki/spaces/FDX/pages/904626436/Cloud+Service+Certification+Project