Compliance_CloudNativeSecurityCon_2023.pptx.pdf

1、Robert FiccagliaPolicy Governance with OSCAL$idRobert Ficcaglia,co-chair wg-policy$ls-al.stuff_i_do Kubernetes sig-security SOX,SOC2,HIPAA,ISO,HITRUST FISMA,CJIS,FedRAMP OSCAL Machine Learningespecially with Graphs$history Focused on Kubernetes(P)olicy and(p)olicy Contributions to Kubernetes communi

2、ty PolicyReport CRD(aligned with OSCAL)Kubernetes Policy White Paper PolicyReport Dashboard+adapters(Falco,Kubeconf,Kyverno,more)In progress Policy Governance Whitepaper OSCAL Examples and NIST collaboration Review and use cases for CEL based Admission Control PolicyReport KEPBasic(P)olicy Questions

3、 Who should have access to IaC/clusters?Who can deploy workloads and services to your clusters?What resources should be in my IaC/clusters?What actions can users perform?What permissions do workloads have within clusters?What are the network policies between workloads within clusters?Configuration(p

4、)olicy Questions What resource configs can be deployed in your clusters?How to isolate workloads?How to manage data flows?How do you set limits on resources available to a workload?What baseline configuration standards/defaults for workloads?Can I verify the integrity of workload images?Cross cuttin

5、g concerns-eg.storage and access roles?Provisioning or meta-admin cluster(s)?CONOPSDeclarative configurationKubernetes supports declarative control by specifying users desired intent.The intent is carried out by asynchronous control loops,which interact through the Kubernetes API.This declarative ap

6、proach is critical to the systems self-healing,autonomic capabilities,and application updates.This approach is in contrast to manual imperative operations or flowchart-like orchestration.0Gitops vs.GRC?0 https:/ OSCAL?Kubernetes Policy+OSCAL=Compliance-as-Code PolicyReport CRD OSCAL Assessment Resul

7、t RedHat and IBM contributionsPlatform One All using and/or collaborating on OSCAL and using Kubernetes Many examples in gitlab repos Defense Unicorns Lula-Kyvero policy generationSLEDGEHammer:NIST 800-53 OSCAL+automation Why do I need Compliance-as-Code?Reactive too expensive:not enough time,people

8、.Amplification of problems one configuration mistake=amplified across templates Amplified across deployments=1000s of vulns Assessment and audits take months GRC vs.gitops(controls-components-SAR)Quick IRL example:19.7x cost to fix a problem in production vs PR-time Recovery time-unknown;response ti

9、me-unknown Release frequency:7 working days min PR to deploy-huge variance 1-30+daysConsistent,Codified Guard Rails User and Workload Identity Task and Workload Based Access+Networking:isolation Continuous Authorization Auditing Workload Inventory,Classification and Drift Detection Data Exposure Ris

10、k Inventory,Classification,and Leakage Detection Consistency across clusters-reduce cognitive load Aggregation for analytics Analytics and Benchmarking FUTURE STATE:Formal modeling FUTURE STATE:Predictive MLIRL Challenges Kubernetes great for loosely coupled apps Many apps are monoliths-and thats fi

11、ne for many use cases Kubernetes itself is evolving and best practices still being pressure tested Service meshes and FaaS even more so Need“Policy Patterns”?“Fibonacci”opsas#clusters+apps grow:Complexity growth exponential Policy as a“spira mirabilis”UtilityHow useful is policy for X during Y?Const

12、ruction Deployment BaselineNormal OperationsSRE/OutliersSecOpsIncident ResponseDelivery Time-+Separation of Concerns+Risk Reduction+Efficiency-+/-Functionality-+/-+Compliance+-+/-COMPLIANCE-AS-CODE CANVAS Compliance JourneySound familiar?Takes too long,too expensive to deliver new things Kubernetes

13、pilot project.Early adopter teams pile on,everyone makes things up as they go Uh ohsomething breaks(or gets hacked).no one knows how to fix!Finger pointing Compliance too complex!Policy Library Control Catalog and Profile Benchmarks and Baselines useful starting point CIS Benchmarks Preventive Contr

14、ols-what APIs and how they are used,IaC constraints Detective Controls-security features,alerts Organization around blueprints Manage in git repo with PRs and branch management strategyKill and Yank Fork-initially simple,harder over time Patch -good for low frequency Composition Pull-use APIs for di

15、stribution Push policies to selected resources e.g.namespace and/or label selector Transformation-OSCAL itself does this Generation/DSL-Rego Automation:dynamic,aids encapsulation,mitigate ordering problems Parameterization:GatekeeperPolicy Schemas Example:Gatekeeper ConstraintTemplate Kyverno rules

16、written in YAML OpenAPIv3 schema-test OCM policy-templates CEL templates Blueprints provide connection to policy schemas Define unit tests for the policy templates Validate Policy Libraries using tests and pre-prod replay modelingPolicy AssemblyDSL gen:controlsubject mappingEx:using TTPs to match to

17、 policy library(e.g.dynamic policy composition)applicable_policy :=vm:compute,lambda:compute,container:compute,ip:network,securitygroup:network,waf:network,ssd:storage,volume:storage Automation:keyword regexes and heat map analysisUsing graphs e.g.K8s NetworkPolicies API based,eg.OpenAPI to Rego gen

18、erationHybrid-component“legos”DSL+API“Functional”components:control-implementationsassessment-subjectsGraph“security capabilities”-groups of control implementations in Component ModelProfiles and Parameters Specific baseline controls+params Assemble parameterized policyparameters:#repos:The list of

19、prefixes a container image is allowed to have.repos:-OPA parameters,Kyverno Variables,CEL environment cel.Variable Ex:Mutating webhook AC for adding values to constraintsHere Be Dragons:Parameterization easy at first,difficult to maintain over time.Policy Validation Local Tests Unit Tests Pipeline t

20、esting Mocking Pre-Prod Tests against cluster Replay Testing from Prod logs CoveragePolicy Distribution Policy Bundle Registry(e.g.OPA API,cloud storage)Git repo Helm chart repositories OPA can consume policy bundles packaged as OCI images OCM Placement Cloud specific(GCP Config,AWS S3/SSM,Azure Pol

21、icy extension)Conditional Policy Enforcement Using External Data during policy decision eval How:OPA external data pull,send Gatekeeper external data Providers Kyverno OCI image metadata OCM Secrets Examples:verifying container signatures,per-tenant policiesPolicy Assessment and Reporting PolicyRepo

22、rt CRD-e.g.Kyverno and OCM-transform to SAR OPA/Gatekeeper Audit,Prometheus Metrics Do you need a GUI or git?SAR is another OSCAL artifact can be managed in git or cloud BLOB storeAutomated Remediation(Policy Adjacent)Remediate Drift with Controllers or sidecars,eg.CloudCustodian PolicyReport-PR gen

23、:Sandbox/Isolate,Logging/Telemetry+Mutate Labels for TTPs Generate POA&M Risk Log and Open RisksCross Cutting Concerns Heuristics,eg govCAR Threat Model,eg MITRE ATT&CK Static Analysis Formal Methods Graph ML,LLMsWhats Next?More IRL examples Operators using 3rd party audits More better tools Community involvement!SLEDGEHammerPlease scan the QR Code aboveto leave feedback on this session