tag-security
tag-security copied to clipboard
cncf
CNCF Cloud Native Security Map Vanilla
CNCF Cloud Native Security Map Vanilla
For a much more detailed guide on this project and how to start contributing, please comment on the issue and take a look at https://docs.google.com/document/d/1ytshTEnoKqP0m0JFKO4IB2qEFaIAZc9jDet6VdeT3sE/
Description:
We have discussed the vision of the cloud native security map (#348), the ideas and discussions are available in this google doc. The eventual goal for the Cloud Native Security Map requires a HUGE effort. Therefore, we are breaking this down into a series of major contributions.
Therefore, the following proposes the initial version of the Cloud Native Security Map (CNSMAP), which is the bare content necessities and design principles required for the CNSMAP. The goal is to complete this effort for publicizing by the CNCF and TOC for Kubecon EU 2021 in May.
Impact:
Impact is documented in this google doc.
- [x] SIG Representative - @lumjjb
- [x] Project leader(s)
- Brandon Lum (@lumjjb) (SIG TL)
- Ash Narkar (@ashutosh-narkar) (SIG TL)
- Diego Comas (@dcomas)
Contributors: Listed in https://docs.google.com/document/d/1HZPpzTc-OMDPbWu5PDPto5kym5ngPgQiwgk5My5X-GI/edit
Scope:
For the map, it will be a representation of the list of topics and navigating between the topics, this does not include links between topics and thematic aspects of the CNSMAP
Timeline:
- Kickoff: 3 March
- Content 1 (70%): 17 March
- Content 2 (completion): 24 March
- PROD ready Prototype: 24 March
- Improvements to content + code: Finalize by Apr 16 for CNCF evaluation + marketing for kubecon EU
Dev info:
Latest stage: http://cnsmap.github.io/ , Code: https://github.com/lumjjb/cnsmap
Scoped Topics Tasks List - number is the count of topics per category.
- Develop (3)
- Distribute (3)
- Distribute.Testing (3)
- Distribute.Artifacts and Images (3)
- Deploy (3)
- Runtime.Compute.Orchestration (5)
- Runtime.Compute.Containers (3)
- Runtime.Compute (4 - 2 optional)
- Runtime.Storage (4)
- Runtime.Access (3)
- Security Assurance and Controls (5 - 3 optional)
- Compliance (2)
Just posted in Slack, but also interested. Been reading through the content as it currently is.
Hi all and welcome to the issue/channel (#sig-security-whitepaper-map)! We are starting the content contribution phase. The idea is that over the next 2 weeks we will be working on writing in the content in the google doc, and we will have an optional meeting occasionally to track our progress and answer any questions.
The next meeting is going to be next Wednesday 10 March at 9:30AM PST / 12:30 PM EST. Please send me your email address for an invite!
So what's next! To start getting involved!
Step 1: Go to the document, https://docs.google.com/document/d/1ytshTEnoKqP0m0JFKO4IB2qEFaIAZc9jDet6VdeT3sE/edit and go down to the Content Contribution Table section, then put your name in the table beside the topics that you would like to contribute to.
Step 2: Scroll down to the topic that you'd like to contribute to, and start filling up the sections. The goal is to provide additional content which can be pragmatically used by practitioners/learners...
The sections includes:
- projects - CNCF/Open Source projects and their links that are relevant to the section, commercial projects are also valid, but should be marked explicitly
- examples - what are some examples of implementing some of these security controls - be specific! The idea is to provide an illustration of topics in the whitepaper
- links - Any other links that are relevant, blog posts, standards, etc. If there are doubts on what exactly this topic means, the topic titles contain links to the whitepaper. This should give you a better idea conceptually on what the topic is about.
And whenever in doubt, take a look at the Content Contribution section (which has a filled up content example), or you can ping @Ash, @Diego Comas, @Vinay Venkataraghavan, @Brandon Lum if you have questions or need further guidance!
Hi @lumjjb @ashutosh-narkar and @dcomas I am happy to contribute on the Zero Trust part
@fdicarlo thanks I will add your name in the table. You can join the discussion in the Slack channel where you can share with us your email to give you access to the doc . cloud-native.slack.com #sig-security-whitepaper-map
Hi All! We are going to be meeting an hour before the SIG meeting, not compulsory, but if you have any questions on contributing or like to get a bit more background on the project, do join in!
Time: 12pm-1pm EST, 9am-10am PST (This is 1 hour before regular SIG meeting) Meeting link: meet.google.com/goe-ehpx-ucy
Would love to help. Have requested write access the doc.
You should have access now. Thanks
@dcomas , I would like to contribute as well. I know there are some effort around adding hardware-based security using HSM/TPM. I think having configuration protection using a TPM is a great feature for Cloud based technologies. This just one of the solutions I have seen in Datacenters that I would love to see in Cloud environments. I will try to join for at least part of the call today.
Hi All, the doc looks awesome and is really shaping up! Love all the content so far! There's a couple topics that folks have signed up but haven't filled up yet, with that done, we should be on track to reaching our 70% content goal by Wednesday!
No meeting for this week, the next one will be on 24th March! But be sure to keep your calendars up to date with daylight savings in effect now!
Hi, working on my part between this evening and tomorrow (so before deadline)
I will add my first contributions tomorrow. Also before the deadline :) Thanks for the summary @lumjjb
UPDATE: first contributions added.
@lumjjb, I am getting confused over here.
I added my contributions about "Signing, Integrity and Trust" to this document https://docs.google.com/document/d/1HZPpzTc-OMDPbWu5PDPto5kym5ngPgQiwgk5My5X-GI/edit#heading=h.lzd2ob2mrbjp
Afterwards, I saw "Signing, Integrity and Trust" mentioned here https://docs.google.com/document/d/1ytshTEnoKqP0m0JFKO4IB2qEFaIAZc9jDet6VdeT3sE/edit#heading=h.6ir79kvwirrt
Could you please tell me which document is primary and where I should make my contributions?
@lumjjb , I also saw some overlap between "Image Trust and Content integrity" and "Signing, Trust and Integrity". Maybe some parts of them could be merged?
I added information about sigstore as one more solution. It is a new LinuxFoundation project. It offers what RedHat Simple Signing can do plus transparent log. Extra info: It does not yet have a TPM-backend.
Hi All! We are in the last stretch of content creation, there are just a couple more topics which need additional information. Some of these only require examples to be added (with the -examples tag). Would be awesome if we can get a couple more contributions to round up this work!
Below is a copy of the table in the document: https://docs.google.com/document/d/1ytshTEnoKqP0m0JFKO4IB2qEFaIAZc9jDet6VdeT3sE/edit#heading=h.nx6klypo0kk2
@mtverraen is also helping out with the development of the map website. If you are interested in helping out with the dev on this, please let us know! We will show a prototype with the content in a week or two!
Here's a copy of the list from the doc!
| Topic | Assignees |
|---|---|
| Development of Tests | |
| Code Review | |
| Resource Requests and Limits | |
| Control Plane Authentication and Certificate Root of Trust | |
| Storage Stack | |
| Storage Encryption | |
| Persistent Volume Protection | |
| Availability | |
| Threat modeling |
@tomoveu I saw your additions to the doc, there's some overlap with content because of the way the whitepaper is structured... so there is bound to be some overlap.. there are plans to help address this overlaps by linking the topics in the future. But saw you additions on sigstore! Thanks for contributing!
@lumjjb - Ping me when you're ready for design help and I'll get you in the queues.
@amye We are ready for design help! This is what we have today: https://cnsmap.vercel.app/ courtesy of @mtverraen :)
@lumjjb I added a "special considerations" piece under the "Develop" ==> "Security Checks in Development" ==> "Examples" section (i.e. for corner cases where pods can't be locked-down as much as we'd ideally like). Is that OK, or is the section frozen? If so, I can yank it out.
Other than that, I'm further populating the "Zero Trust Architecture" and "Least Access" sections plus examples (topics I like to research in personal time).
Cheers!
-Edit: they are currently "suggestions", until they're approved/merged.
Thanks @IAXES , all good we are still in content review!
No prob!
By the way, are we removing the "least access principle" section? I see some related pieces with a strikethrough/crossed-out format applied to it.
Lastly, will the final document be a Google doc, or is it being converted to an ODT, or some markup based format (i.e. LaTeX, rST, MD, etc.)? If the latter, I've done a lot of work with these formats and can volunteer to "chop wood, carry water" with respect to those pieces (if needed).
Cheers!
I have the design team on deck for whenever we have a final draft of text, that's the gateway here to get design involved.