Dunder Mifflin Compliance and Control Framework deployment in 7 minutes

GoalClone the DMI Compliance and Control Framework custom mods, install, run unit tests, then build and upload to your workspace.
Time7 minutes

Prerequisites

  • Ensure you have signed up with the Turbot Guardrails mod registry.
  • You will need Turbot Guardrails API access keys. If you do not have keys for your profile, you can generate new ones.
  • You will need to know the URL of your Turbot Guardrails workspace(s).

Install the Turbot Guardrails CLI

  • Download the latest Turbot Guardrails CLI. The latest version is available from Turbot Guardrails Releases.
  • Unzip the turbot binary into a directory in your PATH (for example /usr/local/bin/turbot)
  • Run turbot --version to verify your CLI version.

Cloning DMI custom mods

DMI custom mods source code lives inside the Turbot CLI Repository. First, clone the Guardrails Sample Repository mod project:

git clone https://github.com/turbot/cli.git

Installing dmi-ccf mod

Navigate into the dmi-ccf mod folder:

cd cli/example-mods/@dmi/dmi-ccf

Install the dmi-ccf mod:

turbot install

Inspecting dmi-ccf mod

To inspect and verify the structure of the mod use the turbot inspect command

turbot inspect

Testing dmi-ccf mod

Running Unit tests

Running all tests:

turbot test

Running tests of a specific control:

turbot test --control [control name]

Uploading dmi-ccf mod

Hint: You don't need to upload dmi-ccf mod to a workspace in order to run the dmi-ccf-aws mod locally. So, you might skip to dmi-ccf-aws mod installation

Before deploying the mod, you first need to install its dependencies on the workspace.

First check mod dependencies at src/turbot.yml file, then follow this guide to install them on the workspace.

After that, run the following command to upload the mod into the workspace defined in the local Turbot Guardrails CLI configuration file, usually located at [user home]/.turbot/config.yml

turbot up --profile=[target workspace profile]

Installing dmi-ccf-aws mod

After having the dmi-ccf mod installed, we may proceed with the dmi-ccf-aws mod.

The turbot-cli argument --peer-path ../.. will be used here to map all the custom mods under the @dmi folder. This argument is needed because the dependence dmi-ccf is only available locally inside the @dmi folder.

turbot install --peer-path ../..

The turbot install command installs a mod and all of its dependencies locally

Inspecting dmi-ccf-aws mod

To inspect and verify the structure of the mod use the turbot inspect command

turbot inspect --peer-path ../..

Testing dmi-ccf-aws mod

Running Unit tests

Running all tests:

turbot test --peer-path ../..

Running tests of a specific control:

turbot test --peer-path ../.. --control [control name]

Uploading dmi-ccf-aws mod

Before deploying the mod, you first need to install its dependencies on the workspace.

First check mod dependencies at src/turbot.yml file, then follow this guide to install them on the workspace.

After that, run the following command to upload the mod into the workspace defined in the local Turbot CLI configuration file, usually located at [user home]/.turbot/config.yml

turbot up --peer-path ../.. --profile=[target workspace profile]

About DMI Control Framework

At this point you should probably have the dmi-ccf and dmi-ccf-aws mods up and running on your workspace, or at least installed locally. Now, let's learn more about the DMI Control Framework

Overview

Dunder Mifflin Paper Company, Inc. (DMI) is a fictional paper sales company featured in the American television series The Office.

DMI defines its own compliance framework to ensure security and regulatory compliance. This compliance framework provides a set of prescriptive controls for network and data security, user authentication and authorization, and monitoring.

While Turbot provides capabilities to meet most of DMI's control objectives, DMI would like to be able to search, filter, and report on compliance to their specific controls using the Turbot console. DMI employees are already aware of the DMI framework, and they communicate using the terms and definitions defined there.

To meet this requirement, DMI has decided to write a Turbot custom mod. This mod will leverage existing Turbot resources and CMDB data but will present the data in the native structure of the DMI Control Framework. Note that automated remediation ("enforce") is out of scope - these controls will be "check" mode only (existing Turbot controls can be used to remediate the items if desired, however)

The DMI Compliance and Control Framework

The Dunder Mifflin Compliance and Control Framework (DMI CCF) is composed of a set of generalized controls, with separate implementations (benchmarks) that provide specific technical implementations for each technology platform.

The DMI Control Framework is composed of the following control categories (The sections are common to all platforms):

  1. Authentication & Access Control
  2. Data Security & Encryption
  3. Network Security
  4. Logging & Auditing
  5. Data Protection & Business Continuity

The DMI AWS Benchmark provides implementation requirements specific to AWS. The AWS Benchmark is divided into sections per AWS service.

  1. IAM
  2. S3
  3. CloudTrail
  4. RDS

Each section contains multiple numbered control items. Each of these control items maps back to a control category in the control framework.

Benchmark ItemControl Category
AWS.IAM.001 - Password policy meets complexity requirementsAuthentication & Access Control
AWS.IAM.002 - Require MFA for console usersAuthentication & Access Control
AWS.S3.001 - Set Default Encryption on S3 BucketsData Security & Encryption
AWS.S3.002 - Enable Versioning on S3 BucketsData Protection & Business Continuity
AWS.VPC.001 - Disallow access to management ports from 0.0.0.0/0Network Security
AWS.CloudTrail.001 - Enable Cloudtrail in All RegionsLogging & Auditing
AWS.RDS.001 - Enable RDS Backups with standard DB retentionData Protection & Business Continuity

Guidelines

Each control targets the most specific resource for its purpose: For example, a control targeting user information will target users. A control targeting security group rule details would target the security group.

All Custom Reporting Framework controls are based on information in the CMDB. They must work when Turbot is limited to read only credentials for the provider.

Control/Policy Type Hierarchy

The control and policy type hierarchies map each Turbot policy and control to a DMI Control item.

The DMI benchmark item IDs follow a consistent structure: {provider}.{control section}.{id number} - for example: AWS.IAM.001. The Turbot type hierarchy mirrors DMI's benchmark structure:

  • The top-level type is Dunder Mifflin
  • The next level is the provider abbreviation
  • The next level is the DMI Benchmark Section that the item belongs to:
    • Dunder Mifflin > AWS > IAM
    • Dunder Mifflin > AWS > S3
    • Dunder Mifflin > AWS > VPC
    • Dunder Mifflin > AWS > CloudTrail
    • Dunder Mifflin > AWS > RDS
  • The next level is the individual control item. As in CIS, this contains the full control ID as well as the title. For example:
    • DMI Control Item: AWS.IAM.001 - Password policy meets complexity requirements haves policies and controls: Dunder Mifflin > AWS > IAM > AWS.IAM.001 - Password policy meets complexity requirements

See also About Dunder Mifflin Paper Company, Inc.