Compliance_CloudNativeSecurityCon_2023.pptx.pdf

1、Robert FiccagliaPolicy Governance with OSCAL$idRobert Ficcaglia,co-chair wg-policy$ls-al.stuff_i_do Kubernetes sig-security SOX,SOC2,HIPAA,ISO,HITRUST FISMA,CJIS,FedRAMP OSCAL Machine Learningespecially with Graphs$history Focused on Kubernetes(P)olicy and(p)olicy Contributions to Kubernetes communi

2、ty PolicyReport CRD(aligned with OSCAL)Kubernetes Policy White Paper PolicyReport Dashboard+adapters(Falco,Kubeconf,Kyverno,more)In progress Policy Governance Whitepaper OSCAL Examples and NIST collaboration Review and use cases for CEL based Admission Control PolicyReport KEPBasic(P)olicy Questions

3、 Who should have access to IaC/clusters?Who can deploy workloads and services to your clusters?What resources should be in my IaC/clusters?What actions can users perform?What permissions do workloads have within clusters?What are the network policies between workloads within clusters?Configuration(p

4、)olicy Questions What resource configs can be deployed in your clusters?How to isolate workloads?How to manage data flows?How do you set limits on resources available to a workload?What baseline configuration standards/defaults for workloads?Can I verify the integrity of workload images?Cross cuttin

5、g concerns-eg.storage and access roles?Provisioning or meta-admin cluster(s)?CONOPSDeclarative configurationKubernetes supports declarative control by specifying users desired intent.The intent is carried out by asynchronous control loops,which interact through the Kubernetes API.This declarative ap

6、proach is critical to the systems self-healing,autonomic capabilities,and application updates.This approach is in contrast to manual imperative operations or flowchart-like orchestration.0Gitops vs.GRC?0 https:/ OSCAL?Kubernetes Policy+OSCAL=Compliance-as-Code PolicyReport CRD OSCAL Assessment Resul