All posts
June 22, 20264 min read

ISO 27001 for ReAct

When an ISO 27001 audit walks through ReAct’s controls, the auditor sees a complete, immutable trail that ties every data‑access request to a verified identity, shows who approved it, and proves that sensitive fields were masked according to policy. The evidence is easy to locate, clearly correlated, and can be exported in the format required by the certification body. In that ideal state the organization can answer every clause about access control, audit logging, and data protection without di

Free White Paper

ISO 27001: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

When an ISO 27001 audit walks through ReAct’s controls, the auditor sees a complete, immutable trail that ties every data‑access request to a verified identity, shows who approved it, and proves that sensitive fields were masked according to policy. The evidence is easy to locate, clearly correlated, and can be exported in the format required by the certification body. In that ideal state the organization can answer every clause about access control, audit logging, and data protection without digging through disparate logs or asking engineers to recreate missing steps.

In practice many teams build ReAct integrations that rely on static service accounts, embed credentials in CI pipelines, and let engineers connect directly to databases or Kubernetes clusters. Those connections often bypass any central logging layer, so the only record of a query or a pod exec lives in the local client history, if it exists at all. When the audit window opens, the security team scrambles to piece together who ran what, whether a privileged command received proper approval, and if any personally identifiable information (PII) was exposed. The result is a gap between the ISO 27001 requirement for traceable, controlled access and the reality of ad‑hoc, unrecorded sessions.

Current gaps in ReAct’s audit readiness

The typical starting point looks like this:

  • Developers use a shared API key stored in a configuration file that grants broad read/write rights.
  • Service accounts hold long‑lived credentials that never expire and are reused across environments.
  • Engineers access the underlying PostgreSQL or Kubernetes API directly from their workstations, without a gateway that can enforce policy.
  • Teams collect only occasional snapshots of query logs, and those snapshots lack user context or approval metadata.

These practices satisfy functional needs but violate ISO 27001 clauses about access control (A.9), audit logging (A.12.4), and protection of personal data (A.18). The audit artifacts that the standard expects, detailed session records, justification for privileged actions, and evidence of data‑masking, simply do not exist.

Why the data path must host the controls

The missing piece is a trustworthy point where every request passes before it reaches the target system. Identity and provisioning (the setup) tell the gateway who is asking for access, but without a choke point the request flows straight to the database or the cluster. That means no component can reliably block a dangerous command, insert an approval step, or redact a credit‑card number in a response. The only place enforcement can happen is the data path itself, where the traffic is observable and mutable.

ISO 27001 requires that the organization demonstrate that:

  1. All privileged actions log the initiator’s identity.
  2. Any access to sensitive fields receives either explicit approval or automatic masking.
  3. Evidence of these controls remains available for the audit period and can be reproduced on demand.

When the gateway sits in the data path, it fulfills each of those obligations directly, without relying on downstream systems to emit the right logs.

Continue reading? Get the full guide.

ISO 27001: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

How hoop.dev provides the required evidence

hoop.dev is an open‑source Layer 7 gateway that proxies connections to databases, Kubernetes clusters, SSH hosts, and internal HTTP services. It sits between the identity provider and the target resource, so every packet passes through a single, policy‑driven enforcement point.

Because hoop.dev controls the data path, it can:

  • Record each session. hoop.dev writes a chronological log that includes the user’s OIDC token, the exact command issued, and the timestamp. hoop.dev stores the log outside the target system, giving auditors a reliable evidence source.
  • Apply just‑in‑time approval. When a request matches a high‑risk pattern, such as a DROP DATABASE command or a privileged pod exec, hoop.dev pauses the flow, notifies an approver, and forwards the request only after explicit consent.
  • Mask sensitive fields inline. hoop.dev filters responses that contain regulated data (PCI, PII, etc.) before they reach the client, and it records the masking action alongside the original payload.
  • Enforce least‑privilege scopes. The gateway consults group membership from the identity token and limits the set of tables, namespaces, or commands the user may invoke.

All of these outcomes exist because hoop.dev is the only component that sees the traffic before it reaches the backend. If the gateway were removed, the same requests would travel unfiltered, and none of the audit artifacts would be generated.

Implementation overview for ReAct

To bring ReAct into ISO 27001 compliance, follow these high‑level steps:

  1. Define identities. Configure your IdP (Okta, Azure AD, Google Workspace, etc.) to issue OIDC tokens that include group claims for each ReAct role (developer, operator, auditor).
  2. Deploy the gateway. Follow the getting started guide to launch hoop.dev in a Docker Compose or Kubernetes deployment that runs alongside your ReAct services.
  3. Register each ReAct endpoint. In hoop.dev’s configuration, add a connection for the PostgreSQL instance, the Kubernetes API server, and any SSH bastion that ReAct uses. The gateway stores the service credentials; users never see them.
  4. Configure policies. Create rules that require approval for privileged commands, enable inline masking for columns that hold credit‑card numbers, and restrict access to read‑only schemas for junior engineers.
  5. Enable session recording. Turn on the audit log feature so hoop.dev captures every interaction. Teams stream the logs to a SIEM or another retention system for the audit period.
  6. Validate evidence. Use the learn section to verify that the generated logs contain the required fields (user ID, command, approval ID, masking action) and that you can export them in the format your certification body requests.

Because hoop.dev is open source, you can inspect the code, extend the policy language, or integrate with existing security tooling without adding a proprietary layer.

Frequently asked questions

Do I still need to rotate database passwords?

Yes. hoop.dev stores the credentials it uses to talk to the backend, but credential hygiene remains a best practice. The gateway reduces the blast radius of a leaked password by limiting who can invoke it.

Can hoop.dev be used with existing CI pipelines?

Absolutely. CI jobs obtain short‑lived OIDC tokens from the same IdP and then connect through hoop.dev. The pipeline benefits from the same just‑in‑time approval and audit logging as interactive users.

How long should I retain audit records?

You decide the retention period in your internal policy. hoop.dev writes the logs to the destination you configure, so you can keep them for the period required by ISO 27001, typically at least one year.

Ready to see the code and start the deployment? View the open‑source repository on GitHub and follow the quick‑start instructions.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot