IAM.4.01_remote_connections.html.md 2.76 KB
Newer Older
1
---
2
layout: handbook-page-toc
3
title: "IAM.4.01 - Remote Connections Control Guidance"
4 5 6
---

## On this page
7
{:.no_toc .hidden-md .hidden-lg}
8 9

- TOC
10
{:toc .hidden-md .hidden-lg}
11

Jeff Burrows's avatar
Jeff Burrows committed
12
# IAM.4.01 - Remote Connections
13 14 15

## Control Statement

Liz Coleman's avatar
Liz Coleman committed
16
Remote connections to production systems are controlled with either two factor authentication or an SSH connection.
17 18 19

## Context

Caleb Cooper's avatar
Caleb Cooper committed
20
Where and only if applicable, appropriate, and technically feasible, and with the understanding GitLab is a cloud-native, fully-remote and international organization favoring a Zero Trust network without a traditional corporate network infrastructure, access will be managed with a combination of [ssh](https://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.7966.pdf) and [Two Factor Authentication](https://csrc.nist.gov/glossary/term/Multi_Factor_Authentication) technologies.
21 22 23

## Scope

24
This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.
25 26 27

## Ownership

28
Control owner: 
Jennifer Blanco's avatar
Jennifer Blanco committed
29
* `Security Management`
30 31

Process owner: 
Jennifer Blanco's avatar
Jennifer Blanco committed
32 33
* Security Operations
* IT-Ops
34

35
## Guidance
36

Liz Coleman's avatar
Liz Coleman committed
37
Identity access management systems should enforce SSH or 2FA for connections to production systems and networks. 
38 39

Evidence an auditor may request:
Liz Coleman's avatar
Liz Coleman committed
40 41
* Policy defining our SSH or Two Factor Authentication requirements
* Configuration showing SSH or 2FA is required in order to connect to production systems.
42

43

44
## Additional control information and project tracking
45

Jeff Burrows's avatar
Jeff Burrows committed
46
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Remote Connections control issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/sec-compliance/compliance/issues/826).
47

Luka Trbojevic's avatar
Luka Trbojevic committed
48 49
### Policy Reference

emilie's avatar
emilie committed
50
* [Handbook>Engineering>Infrastructure>Team>Reliability Engineering>SRE Onboarding>Credentials](/handbook/engineering/infrastructure/team/reliability/sre-onboarding/#credentials)
51 52 53 54
* [Infrastructure readme.me file with instructions on setting up access](https://ops.gitlab.net/gitlab-com/gitlab-com-infrastructure#getting-started)
* [Infrastructure project>onboarding>SSH config](https://gitlab.com/gitlab-com/gl-infra/infrastructure/blob/3f30380f30faece696304922353c10c1e72011fd/onboarding/ssh-config)
* [Infrastructure instructions on setting up access using key-based SSH](https://gitlab.com/gitlab-com/runbooks/blob/master/howto/gstg-bastions.md)
* [Cookbook for future Okta ASA solution for SSH Access Control](https://gitlab.com/gitlab-cookbooks/gitlab_okta_asa)
55
* [Two Factor Authentication](/handbook/security/#two-factor-authentication)
56

57 58 59 60 61 62 63 64
## Framework Mapping

* SOC2 CC
  * CC6.6
  * CC6.7
* PCI
  * 8.1.1
  * 8.6