Tag-security: Scoping and recommendation for compliance and vulnerability elements applied to cloud native infrastructure

Created on 24 Aug 2018  路  6Comments  路  Source: cncf/tag-security

The issue of wether this is in-scope or out-of-scope has come up multiple times and multiple context. As a group, let us identify what if any part of compliance and vulnerability is in-scope and how it relates to cloud native ecosystem.
The goal (and boundary) here is to help out components of cloud native ecosystem projects.

inactive suggestion

Most helpful comment

So there are two elements here that I think we should bifurcate.

a) There's the aspect of policies/configurations that CNCF projects should take into account so their users can satisfy regulatory compliance requirements. Or a reference to any projects that are tools that directly support compliance-related activities.

b) There's also a more holistic notion of continuous compliance that we as a WG should develop guidance on. This could encompass guidance on regulatory audits, development of attestation and compliance artifacts, etc. in the context of the CNCF technology/security categories. I would argue that the paperwork is probably the biggest pain point and most costly for organizations in highly regulated industries. A good bridge for this might be the Cloud Security Alliance, and more specifically, the Cloud Controls Matrix -> https://cloudsecurityalliance.org/group/cloud-controls-matrix/#_overview and Enterprise Architecture -> https://cloudsecurityalliance.org/group/enterprise-architecture//#_overview

All 6 comments

So there are two elements here that I think we should bifurcate.

a) There's the aspect of policies/configurations that CNCF projects should take into account so their users can satisfy regulatory compliance requirements. Or a reference to any projects that are tools that directly support compliance-related activities.

b) There's also a more holistic notion of continuous compliance that we as a WG should develop guidance on. This could encompass guidance on regulatory audits, development of attestation and compliance artifacts, etc. in the context of the CNCF technology/security categories. I would argue that the paperwork is probably the biggest pain point and most costly for organizations in highly regulated industries. A good bridge for this might be the Cloud Security Alliance, and more specifically, the Cloud Controls Matrix -> https://cloudsecurityalliance.org/group/cloud-controls-matrix/#_overview and Enterprise Architecture -> https://cloudsecurityalliance.org/group/enterprise-architecture//#_overview

Here's my 2 cents...

secure access, policy control and safety for operators, administrators, developers, and end-users across the cloud native ecosystem

From this there are a number of roles (e.g., developer and operators - which can be subdivided into platform/cluster operators and app operators). There's also the idea of safety where I found a nice simple definition of "freedom from danger, risk, or injury".

I would look to generate outputs that benefit these groups in a useful manner. In this case I mean Jakob Nielsen's definition which is essentially useful = usability + utility.

With that in mind:

  • For developers produce a white paper with practical guidance on developing applications in a secure way. For example, applications that are not expected to run with access to root. A paper as a practical guide.
  • For application operators, a paper that talks about practically operating applications in a secure manner. Things such as access controls, network layer security because services, etc. Then provide a practical guide for doing this in Kubernetes.
  • Provide a white paper (and example process?) to explaining a method to review the security of a collection of cloud native services.
  • Recommend tools for inclusion in the CNCF or for cloud users in general to adopt (e.g., Clair)
  • Note tooling or process gaps in security that need to be addressed (a generated list)? This will help people to identify opportunities

These are written to be practical and build concrete deliverables, something they are looking for in the CNCF WG process. Because access and policies are commonly talked about in this group I didn't touch them on my list.

I have started a draft doc on the practical outputs that SAFE could enable related to compliance. Feedback / edits welcome!

Is it time to move this doc into GitHub rather than a google doc?

Is this content that we think would be part of the whitepaper?

EDIT: This seems more like roadmap, i will put that tag on it.

This issue has been automatically marked as inactive because it has not had recent activity.

Was this page helpful?
0 / 5 - 0 ratings