@izgeri is working with CyberArk to see if there are any security professionals within the org who perform security analysis as part of their job who could speak to their experience working within today's cloud platforms. Specifically, it would be interesting to find someone who could discuss what tools or resources would make their job easier.

TO DO:

• create draft categories: #66
• discuss in SAFE WG with initial categorization
• invite CNCF projects to review categories and sign up to meet with us to discuss their position in the landscape
  • Security and Policy solutions
    • SPIFFE / SPIRE - Evan
    • Notary
    • TUF
    • OPA - Torin with updater
  • Projects with Security Concerns
    • gRPC
  • Platforms (consider sub-projects that can be used stand-alone, such as Envoy, Mixer):
    • Istio
    • Kubernetes

The Kubernetes Policy Working Group has been discussing how to deal with external policy control systems in clusters.
Thread: Kubernetes developer/contributor discussion › External systems in control - interest in WG?

@k82cn is working on a doc to gather thoughts/requirements.

• Share doc and outcomes from these discussions with the SAFE working group

From Kubernetes Policy WG Meeting Notes/Agenda

It was suggested that we consider looking at this slightly differently:

• Consider a 3rd party policy checking system, where the check might be long-running
• In that case incoming K8s requests may need to delayed/buffered/cached/something until the 3rd party system can perform its checks
• This is similar to webhooks/admission-controllers except that those don’t allow for a long-running check to be done. If K8s recycles during that process then the request will be lost. If there were a way to support long-running checks then we may have a solution for svc-cat’s issue

cc @lizrice

Connecting SAFE members with a real-world scenario of ABAC implemented on a graph database with a user friendly RBAC abstraction for users and operators.

• Jason Melo and Christian Kemper discussing a higher level conceptual, architectural and implementation overview on 12/4
• Jason Melo discussing a demo for the SAFE group with ADP Product Owner Michael Hirawady on 13/4, based on this discussion we will propose an upcoming Friday for a show and tell with this group, Date TBD.

Suggestion: We might ask for a presentation from StackRox, Aqua, Twistlock or that ilk to understand if there are specific issues that we may wish to address.

We should find a way to capture SMEs for specific areas of security from the CNCF community. This could be tied to the landscape document that is getting worked on. Mechanism needed to create and manage this list needs to be discussed with the members of SAFE.
This is coming from Justin's comment on the 'Categories and CNCF SIGs' document.

The advent of DevOps and the roots of agile have meant decreased cycle time for release - generally represented as CI/CD to reflect integration and deployment. Because DevOps adds facets of Ops and infrastructure to the mix, risks can be elevated. New threat models emerge. An example of this is containers, where visibility to traditional security tools has only recently been added (StackRox, Twistlock, Aqua etc.). Both for assurance and safety, as well as to maintain the cadence desired for CI/CD (consider the frequency of mobile app updates, for instance), CI/CD involves both new and tweaked/refreshed techniques. In particular, left-shifting of test harnesses, automated testing and test evaluation, and provisioning for dev/test/QA/prod environments that may be app-specific are all within the purview of InfoSec, especially in the scalable setting offered in the cloud environment.

In the Google and Netflix reported (via YouTube presentations) test environment, thousands of tests are run and assessed daily. This is clearly a paradigm shift, and for most everyone else with more limited resources, will present both governance, assurance and scalability challenges.

REFERENCES (to follow)

The policy team has started the drafting process of cloud native policy white paper

It is still very much in the early stage and hopefully by mid-year we will have a 0.1 version out.

TODO:

• STAG sponsor for co-work with k8s policy WG: @achetal01

Justin Cappos is invited to present the prior art of pre-acceptance security audits for SPIFFE / SPIRE.

Network security and identity based security tends to be considered in isolation. Projects like Istio are re-thinking this approach and allow you to secure the service to service communication based on service identities.

It is difficult for administrators to think about these aspects together and we should try to take that into account. Problems in this area are:

1. With ephemeral containers, providing a stable IP address as a "service identity" becomes increasingly difficult
2. In a microservice environment expressing the notion that two services can talk to one another if they are on a shared network becomes harder to manage.
3. How can we make it easy for administrators to move from an IP based to an identity based security model.
4. Alternatively: How can we make it easy for administrators mix IP based and identity based security models.

Tigera Calico is trying to address this in their networking policy. They allow a mix of "ip based identities" and "cert based identities"

@pragashj @tk2929 thoughts?

Cloudbees is a provider of services to enhance continuous software delivery (CD/CT/CI/CF). Their (at least partly vendor-neutral) views on best practices to enhance cloud security (including serverless) can inform guidance produced by this working group.

I have sales contacts from attending their webinars, but if others know of specific contacts with appropriate background and savvy, please help.

Following is a snip from a Cloudbees DevOps security blog post:
"To realize the full benefits of DevOps, organizations must deploy security or identity management technologies that are in sync with a continuous deployment/integration cycle. If identity and access management (IAM) systems cannot be deployed and managed in the same manner as your APIs and microservices, then it makes the DevOps process more cumbersome and less streamlined.

One technology to consider is externalized dynamic authorization delivered with attribute-based access control (ABAC). With dynamic authorization, users are authorized access to resources based on attributes. Authorization is then determined dynamically at runtime by evaluating centrally managed rules and policies.

With dynamic authorization, you can automate policy changes the same way you can automate code changes. In addition, the ABAC service itself can be managed like a microservice, giving it the same flexibility, deployment and automation characteristics as your application microservices. Ultimately, the life cycle of redeploying the application and security components can be fully automated. Similarly, any changes to policies can also be part of the automation process. Furthermore, you can automate the activation of additional authorization servers for peak load conditions and remove them when less capacity is required.

With an automated approach you can relieve pressure on developers, because they no longer will have to write security rules into their code. In addition, access rules are enforced consistently across applications, APIs, microservices and data resources, reducing the risk of overexposure to information and security breaches. This also means that your developers can spend their time on business functionality, not worrying about access security.

Security technologies such as dynamic authorization are a critical part of the DevOps process. With dynamic authorization embedded directly into the development cycle, organizations can automatically address a wide variety of security aspects across the enterprise and ensure a continuous and secure development cycle."

In Toto approached the CNCF TOC and Alexis Quinn referred them to SAFE.

We invited them to present to the WG on 10/12/2018

https://github.com/in-toto/in-toto
Santiago Torres-Arias and Justin Cappos (NYU)

2018-10-12 SAFE WG Meeting notes

Meeting video recording

Alexis unveiled the CNCF Working Group 2.0 proposal at today’s TOC meeting.

Please review. We have been asked to provide feedback in 2 weeks for the next TOC meeting.

https://docs.google.com/document/d/1mt1LH1QJgwA91A6x-DEdjg4ZOXrOnxxc1d2xhq4Hq3I

KubeSec Enterprise Summit 2018
December 10, 2018 | Seattle, WA
KubeCon Co-Located Event

Focused on the challenges faced by larger organizations with demanding security and compliance requirements when deploying Kubernetes in production.

Co-hosted by Aqua Security, Amazon Web Services (AWS) and Red Hat.

Call For Presentations (CFP) at: https://www.papercall.io/kubesec-cfp [open until October 15]

• PR SAFE WG before 2018-08-21
  • Assign responsible party for PR? Dan Shaw
  • What date do we want to land it on? Proposed date Thursday, 2018-08-16.
  • 2 page overview of SAFE WG. (No need to present WG overview again. Slides are the anchor for kicking of TOC voting.)
  • Who will present the presentation? JJ or Sabree

Following quick overview of work, Chris Aniszczyk will kick off TOC voting.

OPA is a CNCF sandbox project

Tim Hinrichs (OPA/Styra) presented OPA and use cases on 2/23/2018

Slides: https://www.slideshare.net/TorinSandall/opa-apis-and-use-case-survey
Recording: https://www.dropbox.com/s/86jfs88pjrogbm6/zoom_0.mp4?dl=0

Meeting Notes

Mark Underwood presented on 2018-03-23

Meeting video recording
Slides
Notes

I don't think we've had any presentations from vendors or projects doing any kind of security auditing or policy checking. I think this would be a good perspective to inform our work.

Two open source projects that could provide good perspectives on this:

• Forseti: https://forsetisecurity.org/
• Cloud Custodian: https://github.com/capitalone/cloud-custodian

The issue of wether this is in-scope or out-of-scope has come up multiple times and multiple context. As a group, let us identify what if any part of compliance and vulnerability is in-scope and how it relates to cloud native ecosystem.
The goal (and boundary) here is to help out components of cloud native ecosystem projects.

Some of the things that the template should cover:

• Use cases that it solves
• Categories of security problem that it solves
• Technology choices
• Architecture & Design
• Test cases and coverage
• Community and adoption (metrics around that)

At Kubecon Mastercard expressed interest in Google's thoughts on OPA and we assume that Mastercard may be interested in ABAC. I think it would be interesting to hear from them in the context of SAFE.

@dshaw mentioned that he has contacts at Mastercard.

November 18 – 21, 2019
San Diego Convention Center, San Diego, California

https://events.linuxfoundation.org/events/kubecon-cloudnativecon-north-america-2019/

• CFP Close: 11:59PM PDT, Friday, July 12
• CFP Notifications: Tuesday, September 3
• Schedule Announced: Thursday, September 5

Dinner, Tues, Nov 19: sign-up

Security-related sessions:

Monday - Nov, 18 -- Cloud Native Security Day

Tuesday, November 19 •

• CNCF SIG-Security Intro - Sarah Allen, CNCF SIG-Security & Brandon Lum, IBM -- https://sched.co/Uahe 10:55am - 11:30am

Wednesday, November 20 •

• CNCF SIG-Security Deep Dive - Jeyappragash Jeyakeerthi, CNCF SIG-Security & Zhipeng Huang, Huawei - https://sched.co/UafZ -- 5:20pm - 5:55pm

Thursday, November 21

• Keynote: Hello From the Other Side: Dispatches From a Kubernetes Attacker - Ian Coldwater, Lead Platform Security Engineer, Heroku -- https://sched.co/UdIL -- 9:22am - 9:42am
• Tutorial: Attacking and Defending Kubernetes Clusters: A Guided Tour - Brad Geesaman, Brad Geesaman Consulting; Jimmy Mesta, KSOC, Inc.; Tabitha Sable, Independent; & Peter Benjamin, Teradata (Limited Available Seating; First-Come, First-Served Basis) https://sched.co/Uaew -- 4:25pm - 5:55pm

We should add something about the work on compliance to the SAFE roadmap. For example, perhaps under item 4, "Identify", we could add something like "Identify how different CNCF projects can be configured and used to meet different compliance objectives, highlighting any gaps". Wdyt?

Chris Aniszczyk has kicked off voting to ratify SAFE WG ahead of the 2018-09-04 TOC meeting.

https://lists.cncf.io/g/cncf-toc/message/2316

Prompt from 2018-06-29 meeting:
Software Identity: Workload Identity, Service Identity, Application identity — are these the same thing?

KubeCon + CloudNativeCon , Shanghai

Nov 14-15, 2018

Who is going? anyone want to help organize an in-person meeting?

Call for Proposals Close: July 6, 2018

CyberArk Conjur recently built two new integrations with Pivotal Cloud Foundry / Cloud Foundry and OpenShift (RedHat's implementation of Kubernetes). Through that process, we learned a lot about how applications are uniquely identified in these two systems, and how external services might leverage the internal app identities to reliably privilege appropriate applications to utilize their services.

I am proposing to speak to the SAFE working group about the current state of each of these systems with respect to application identity, and some lessons learned about potential improvements that could be made.

In scope

• Exploring and recommending security models
• Identifying and suggesting projects for consideration for CNCF
• Cross-pollinating knowledge by participating and inviting people from other projects and SIGs to transfer security practices
• Bringing in external standards from organization like NIST to projects in CNCF
• Coming up with a common vocabulary to talk about and understand and talk about security
• Coming up with a few block architecture for secure access and fitting components and projects in to those boxes
• Help TOC when needed with evaluation and recommending specific proposal or projects

Out of scope

• This is not a standards body and we won't be creating standards
• Not an uber organization or replacing existing k8s/other projects working groups or SIGs
• Not a compliance body or a certification board for security of individual projects
• This is not related to vulnerability detection and handling and we will not answer any specific questions regarding the state of security of and project or product
• We will not be looking at device or enduser security, unless there is some impact to the cloud security

New regulations have been introduced in various regions trying to formalize privacy protection for users. An example is GDPR (https://eugdpr.org/) in EU.
What do these regulations mean to K8S ecosystem? What gaps or pain points exist for k8s service providers today? If such gaps exist, what are good abstractions or capabilities that we should consider to add in k8s?

I raised this question during KubeCon NA in Seattle on Dec 13. I hope this PR can provide a focal point to continue the discussion.

KubeCon + CloudNativeCon, North America

December 11 - 13, 2018
Washington Convention Center
Seattle, WA

Call for Proposals Close: August 12, 2018

What was the original intent of this persona? it seems like it might be more of a cluster of use cases that belongs to another role, rather than a job unto itself.

From reading the use cases, it seems like it is someone who works in the IT org and is responsible for managing the quota settings for their org --- in my experience, this person is sometimes responsible for checking budgets (at least understanding costs) and potentially recommending a increasing capacity

@dshaw notes that in the public cloud, as a developer you run into situations where you need to request additional quota (from what seems like a human, but could be a bot) -- is that a different Quota Operator role?

Discussed in today's SAFE meeting, see notes

This issue is for further work on https://github.com/cn-security/safe/tree/master/landscape

Placeholder for "finishing" the landscape, here are the next steps we have discussed

Map Security-Related Projects From CNCF Landscape Into draft categories, adjusting categories as needed (split off from #66, based on comment from @izgeri)

• Security and Policy solutions
  • SPIFFE / SPIRE - Evan
  • Notary
  • TUF
  • OPA - Torin with updater
• Projects with Security Concerns
  • gRPC
• Platforms (consider sub-projects that can be used stand-alone, such as Envoy, Mixer):
  • Istio
  • Kubernetes
• solicit feedback from the projects themselves

The SAFE WG will be presenting to the CNCF TOC on Tuesday, August 21. The Kubernetes Policy WG has formed a team focused on bringing Cloud Native Policy context back to Kubernetes. Given the overlap between our teams, we are banding together to form one unified group under SAFE.

The agendas of the two groups need to be merged.

@sreetummidi gave one of the first Use Case presentations, but it was early, most SAFE members have not seen the presentation and the session recording only had video with no audio.

At the 2018-03-30 SAFE Meeting, @sreetummidi agreed to share the presentation again. 🙏 Thank you.

We talked about this, but didn't include in the repo.

@pragashj volunteered to submit a PR

@hannibalhuang Creating this tasks as discussed in the call today.
The objective is to break the policy proposal down in to smaller iterable chunks

would be great to add Adminstrator Bill of Rights doc as markdown

I wanted to propose a use case presentation for the SAFE-WG on Sysdig Falco. Falco is an open source solution for runtime security. It will detect abnormal behavior inside of containers or container hosts and then notify external systems of the abnormal behavior. This notification can trigger actions such as killing/deleting a container, logging to a collection platform such as an EFK stack, etc.

Some blog posts that highlight how to use Falco:

• Detecting cryptominers
• Security dashboards with EFK
• Deploying Falco to Kubernetes

The earliest we could present is 5/11.

https://docs.google.com/document/d/1Yt5IPtN5Mc-FrQDFGUhLpBRePmMAZUA83NbENb69oLs/edit#bookmark=id.af7z1y50odeh

The working group will outline the common problem of the fragmented and isolated security in distributed infrastructure, refine the requirements for a solution, and discuss the constraints and tradeoffs.

We will initially collaborate via google doc, and later turn into a more formal recommendation. For now, please add comments, ideas and question to the doc linked below:

"Key Elements of a Trustworthy System” google doc

All the meeting minutes docs are not publicly accessible. I am guessing that there is an undocumented Google group that gives access to them? Please can this be documented?

I think it would be a good idea to present the SAFE WG to SIG-Auth again, and have a similar discussion to the one we had in 2018-08-17 meeting.

For a date that works (see SIG-Auth meeting schedule), I recommend adding a line (should be world-editable) to our agenda document. It would also be helpful to send out a brief introduction to our email group, to brief people before the meeting.

In the security and "management" (i.e., Ops Intel) landscape, consider the concern over how to encourage telemetry from one tool to pub/sub streams from other tools. Mostly, this is a traditional interoperability issue, but security orchestration and automation presents additional important (sometimes mandatory) and nice-to-have capabilities.

Once these requirements are in place, a DevOps pipeline suggests some test assurance to verify that interop has not been compromised and will fail over as intended.

This issue needs associated specific use cases. A few sloppily stated use cases to kick off the process follow:

1. Log significant events to common logging sinks (e.g., Splunk)
2. Raise high (see model remarks) alerts to a common SIEM
3. Ingest and respond to messages from standard attack intelligence streams (e.g., STIX)
4. Allow for orchestration using OpenControl
5. Utilize a common framework like ATT&CK for representing threat
6. Use a domain model through which automated reasoning and aggregation can be performed and maintained
7. "Forward" and "Backward" (or "top down" and "bottom up") propagation of configuration management messaging

draft proposal

• Cloud native user: security roles & practices (target companies > N employees)
• Interview at least 4 people who fit each persona and ask them about their work
  • describe their role & responsibilities
  • what do they do day-to-day to ensure the security of their systems or prevent misuse?
  • how do they (or their company or colleagues) know that this work is effective?
• Create a survey and ask WG members to invite people they know who might fit these personas (without actually sharing our personas) or share on social networks
  • ask some of the above as survey text questions
  • consider:
    • country where they work
    • language they speak at work
    • company size
    • how long have they been in this role
    • industry experience (in years)
  • we will share results of our study with participants (whether we interview them or not)
• Synthesize the results into a report

If needed, refine with interviews to gather qualitative data

• Update personas, if needed. Add/edit use cases. Consider updating language based on how people describe themselves and their role.

Description: we want to surface the work that the group has done over the past 1.5 years and create a maintainable structure, so as we add more to the repo, parts of it will naturally update on the web also -- basically, more accessible content with some friendly pointers to the repo. We want to start small and iterate, so we thought starting with the presentation would be useful to people and relatively easy to put together. Other content (home page about) could be taken from readme, potentially refactoring parts into separate docs, if needed, to not have content replicated in multiple places. This isn't a site about the SIG, it's a site about cloud native security (knowledge sharing by SIG-Security).

Impact: Make the work of the group more accessible to a larger audience. Initial target audience is people who are already fairly knowledgable about cloud or about security (e.g. new group members), later expanding as the group creates more resources.

Scope: Initial version should take a few hours to 1 day of work to make the site... once we have all ther prerequisites figure out and a plan with review checkpoints, it could get done 3-4 weeks of calendar time for iterations and discussion to figure out exactly how to set up the files so that they are both easy to maintain and readable, allowing for at least a week in the middle for review/feedback from the wider group.

We have a lot of great source material about security use cases as well as from presentations from specific open source projects that provide solutions in this space

If you are interested in getting involved, pls comment on this issue and join #sig-security-web channel on slack

proposed directory structure:

/presentations

• /use-case
• /security-provider

I've gotten a transcript for each session that I plan to post and with overview page for each, including a link to github issue, video, transcript, etc.

• Project lead:
• SIG Chair: @ultrasaurus

TODO:

• post raw info from presentations: https://github.com/cn-security/safe/issues?q=label%3Ausecase-presentation+is%3Aclosed (@taylorwaggoner), tracking sheet
  • videos on YouTube - playlist
  • get transcripts
• figure out format for the pages (see notes below)
• make a markdown page for each presentation with an index
• pick a hugo template
• find out from CNCF
  • are any color / visual style guidelines?
  • at what domain will this live?
  • approval process? (plan to share with SIG, approval by majority of co-chairs, and Joe/Liz -- though need to determine some checkpoints so a big group isn't approving every PR)

Notes:

• idea for /transcripts folder #114
• ideas on structured meta data: https://github.com/ultrasaurus/safe/tree/presentation-page-format/presentations

We need to draft the categories that we'll use for grouping projects in the landscape.

This issue is to create an initial draft, and then we'll discuss at a WG meeting

As requested, a list of groups with potential liaison and socialization opportunities

1. NIST Big Data WG - Mark U can liaise

2. IEEE P2675 DevOps Security https://standards.ieee.org/develop/project/2675.html

3. IEEE Product Safety Engineering Society http://ewh.ieee.org/soc/pses/

4. NIST Cloud Security SP 500-291 https://www.nist.gov/sites/default/files/documents/itl/cloud/NIST_SP-500-291_Jul5A.pdf

5. IEEE 7009 - Standard for Fail-Safe Design of Autonomous and Semi-Autonomous Systems WG https://standards.ieee.org/develop/project/7009.html

6. IEEE P1915.1 - Standard for Software Defined Networking and Network Function Virtualization Security https://standards.ieee.org/develop/project/1915.1.html

7. IEEE P7000 (series of interrelated standards in development, including privacy, transparency, etc. related to ethical concerns in autonomous systems). https://standards.ieee.org/develop/project/7000.html

May 20 – 23, 2019
Fira Gran Via, Barcelona, Spain

https://events.linuxfoundation.org/events/kubecon-cloudnativecon-europe-2019/

Moved links to talks to #173

[Some]Security teams working within large organizations have a traditional approach when designing security requirements for newly deployed cloud native environments. Usually this traditional approach is defined by creating firewalls around applications, filtering EGRESS traffic using corporate proxy, while manually managing access rules.
Having in mind that security is paramount for most organizations, security teams prefers to reduce agility by holding on legacy processes and procedures.
I feel that a clear guideline describing basic cloud native security best practices and comparing them with the traditional aproach will have a great benefit.

Hey
Recently we released Kamus, a solution for secret encryption/decryption for Kubernetes platform. In a high-level overview, Kamus solve a common problem for containerized applications - how to pass secrets securely? Kamus designed to encrypt secrets for a specific application, represented by a service account. Only this application can decrypt the secret, and no one else. By this, Kamus offer a secure, zero-trust, GitOps solution to the problem. The design is inspired by Travis encrypted secrets solution.
I would like to present this project to the working group and get your feedback about it. I would be more than happy to answer any question and provide the required information.

cncf/toc#188