Originally posted by @Wolfgang Hausner in October 2022
We have more and more setups where products are built on internally provided “platforms”. For example an AWS-based microservice environment that products can use to build their microservice-based products upon. These platform covers parts of the countermeasures but some of them have to be covered by product.
Another example is that AWS accounts that are used by products are not empty and free configurable accounts but part of our AWS organization where several things are preconfigured and/or enforced by SCP (Service Control Policy). For example the whole CloudTrail logging is configured and enforced centrally.
We looked into IriusRisk templates but according to my understanding this is a one-shot approach and further evolution of he “platform” can’t be synced into the products using it.
We internally now found a solution by using an Excel and a Python script that generates a rules library xml that we import into IriusRisk to trigger rules that set certain countermeasures automatically to “implemented” when a component is in a corresponding trust zone. Ideally this functionality would be available within IriusRisk.
Our questions are:
- Do you also have such “platform” use cases?
- If yes - How do you cover them in IriusRisk?