The Evident Security Platform (ESP) provides visibility into the security state of the shared security responsibilities customers have in AWS.
ESP also has the ability to control access to security reports based on a hierarchical organization structure. You can design the structure to match your company’s organizational structure, or one that makes sense with your security remediation workflow. This is also an important requirement for Segregation of Duties (SOD) controls in the various compliance frameworks, such as HIPAA, ISO 27001, SOC 2, etc.
The structure in ESP is, in precedence from overall to fine-grained visibility:
- Organization – The company or business unit that has the ESP subscription
- Sub Organization – A business unit, or department
- Teams – As the name suggests
- Users – They can be assigned to sub organizations and teams
- External Accounts – Contain the IAM Role ARN and can only belong to one sub organization and team
You must make the decision where to place the Users and External accounts. Visibility of ESP security reports is completely controlled in the Users window in the ESP Control Panel.
The following is an example of how complex the reporting structure can be:
As far as security assessments are concerned, someone with broad security responsibilities throughout a company should have visibility for every sub organization and team, while a software developer would only need to view reports for his particular team. Visibility into organizations/sub organizations/teams is explicit. If a user should be seeing a particular team’s report (or all reports), that user must be added every time a new team and external account is created.
In the example below, we take a fictitious user, email@example.com and give him access to all teams:
We can easily remove access by unchecking the sub organization or team in the list and clicking save.
This would generate a report (and dashboard) view such as the following:
As you can see, ESP can help you satisfy SOD controls for compliance and your organization, while giving flexibility in the constant changing world of DevOps and AWS account security management.
Please feel free to reach out to me at firstname.lastname@example.org