Compliance
Security Posture Summary
| Control |
Status |
Notes |
| Secrets not stored in Git |
✅ Implemented |
All secrets in GCP Secret Manager, synced via ESO |
| Service account least-privilege |
✅ Implemented |
Per-service SAs with minimal permissions |
| Workload Identity (no static keys) |
✅ Implemented |
All GKE pods use Workload Identity |
| mTLS between services |
✅ Implemented |
Istio STRICT PeerAuthentication in all app namespaces |
| TLS on all external traffic |
✅ Implemented |
Let's Encrypt cert, Istio TLS termination |
| Database SSL enforcement |
✅ Implemented |
ENCRYPTED_ONLY on Cloud SQL |
| Database private IP only |
✅ Implemented |
No public IP on Cloud SQL instances |
| Zero-trust network (dev) |
✅ Implemented |
GCP firewall deny-all with trusted-IP allowlist |
| Database deletion protection |
✅ Implemented |
deletion_protection_enabled = true on staging SQL |
| Automated backups |
✅ Implemented |
30-backup retention on staging Cloud SQL |
| PITR enabled |
✅ Implemented |
Binary logging on staging Cloud SQL |
| KMS for sensitive data |
✅ Implemented |
Identity service uses GCP KMS for encryption/HMAC |
| Internal tool auth |
✅ Implemented |
OAuth2 Proxy with Google, restricted to @orofi.xyz |
| Zero-trust network (staging) |
⚠️ Partial |
Staging relies on Istio mTLS, not GCP-level firewall |
| Zero-trust network (production) |
[NEEDS TEAM INPUT] |
Document production network security posture |
| Audit logging |
⚠️ Review needed |
GCP audit logs enabled, but review retention and alerting |
| Secret rotation policy |
[NEEDS TEAM INPUT] |
Define and document rotation schedule |
| Penetration testing |
[NEEDS TEAM INPUT] |
Schedule and document results |
| SOC 2 / ISO 27001 |
[NEEDS TEAM INPUT] |
Document compliance certifications if applicable |
| GDPR compliance |
[NEEDS TEAM INPUT] |
Document data classification and residency |
Access Matrix
Human Access to GCP Projects
| Role / Person |
orofi-dev-cloud |
orofi-stage-cloud |
orofi-prod |
orofi-cloud (DNS) |
| Platform Team |
[NEEDS TEAM INPUT] |
[NEEDS TEAM INPUT] |
[NEEDS TEAM INPUT] |
[NEEDS TEAM INPUT] |
| Backend Engineers |
[NEEDS TEAM INPUT] |
[NEEDS TEAM INPUT] |
Read-only? |
[NEEDS TEAM INPUT] |
| DevOps / SRE |
[NEEDS TEAM INPUT] |
[NEEDS TEAM INPUT] |
[NEEDS TEAM INPUT] |
[NEEDS TEAM INPUT] |
| Data Engineers |
[NEEDS TEAM INPUT] |
[NEEDS TEAM INPUT] |
None |
None |
Service Account Access to Secrets
| Service Account |
Secrets Accessible |
api-gateway-public-sa |
{env}-api-gateway-public-secret, shared secrets, redis auth |
api-gateway-account-sa |
{env}-api-gateway-account-secret, shared secrets, redis auth |
api-gateway-oro-sa |
{env}-api-gateway-oro-secret, shared secrets, redis auth |
api-gateway-admin-dashboard-sa |
{env}-api-gateway-admin-dashboard-secret, shared secrets, redis auth |
microservice-communication-sa |
Communication secret, Firebase, shared secrets, redis auth |
microservice-identity-sa |
Identity secret, JWT keys, Firebase, KMS, shared secrets, redis auth |
microservice-monolith-sa |
Monolith secret, shared secrets, redis auth |
microservice-analytics-sa |
Analytics secret, shared secrets, redis auth |
{env}-ext-secrets-manager |
ALL secrets (ESO needs access to sync them all) |
bitbucket |
Secret viewer + accessor (for CI/CD secret reading) |
Kubernetes RBAC
| User Group |
Dev Cluster |
Staging Cluster |
Production Cluster |
| Platform Team |
cluster-admin |
cluster-admin |
cluster-admin |
| Backend Engineers |
developer (edit) |
view |
[NEEDS TEAM INPUT] |
| [NEEDS TEAM INPUT] |
|
|
|
ArgoCD Access
| Role |
Permissions |
Who |
role:readonly |
View all apps, no sync |
Default for all users |
| Admin |
Sync, rollback, delete |
[NEEDS TEAM INPUT] |
Audit Log Retention
GCP Cloud Audit Logs are enabled by default for all services. Current retention:
- Default retention: 400 days for Admin Activity logs
- [NEEDS TEAM INPUT: confirm custom retention policies are configured if compliance requires longer retention]
Key audit log events to monitor:
- Secret Manager secret access (google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion)
- IAM policy changes (SetIamPolicy)
- GKE cluster API calls (google.container.v1.ClusterManager.*)
- Cloud SQL operations (google.cloud.sql.*)
Data Classification
[NEEDS TEAM INPUT: document data classification:
- PII (Personally Identifiable Information) — which services store it, in which databases
- Payment card data — does Orofi process payments? PCI DSS scope?
- Health data — is there any HIPAA consideration?
- Data residency requirements — must data stay in specific GCP regions?]
Incident History
[NEEDS TEAM INPUT: document significant security incidents, their impact, and the remediations applied. This is often required for SOC 2 audits.]
| Finding |
Severity |
Status |
Owner |
Target Date |
| Staging zero-trust not at GCP firewall level |
Medium |
Open |
Platform Team |
[NEEDS TEAM INPUT] |
| ESO service account has access to ALL secrets |
Medium |
By design — review |
Platform Team |
[NEEDS TEAM INPUT] |
| Secret rotation schedule not defined |
High |
Open |
[NEEDS TEAM INPUT] |
[NEEDS TEAM INPUT] |
| Backup restore not periodically tested |
High |
Open |
Platform Team |
[NEEDS TEAM INPUT] |
| [NEEDS TEAM INPUT: other findings] |
|
|
|
|
See Also