Draft a submission for the Cloud Native SecurityCon North America CFP

[JonZeolla]

https://events.linuxfoundation.org/cloud-native-securitycon-north-america/program/cfp/

CFP Closes: Monday, July 25, 11:59 PM PDT CFP Notifications: Monday, August 29, 2022 Schedule Announcement: Wednesday, August 31, 2022 Slide due date (dates you need slides by): Due date will be shared during the speaker notification window Event Dates: Monday, October 24 – Tuesday, October 25

[pratiklotia]

Submission format: Lightning Talk

Category: Open source security tools / Security in the SDLC / Security Automation / GRC (The complete list is here although I'm inclined more towards 'GRC'. Thoughts?)

Abstract Title: Assessing cloud posture using CNS Controls Catalog

Abstract: Organizations are in need for a standard way to perform a full assessment of their cloud posture. This talk provides an insight on how security professionals as well as auditors can use the controls & implementation details provided in the CNS Controls Catalog to identify adherence to NIST SP800-53r5 controls in context of the security best practices recommended in CNS Whitepaper and Supply Chain Security Whitepaper. Finally, the talk provides examples on using OSCAL framework to automate such audits.

Audience: The audience for this catalog are members of DevSecOps, Site Reliability Engineering (SRE), and Platform teams, as well as Auditors, Regulators, and Governance, Risk, and Compliance (GRC) team members.

Benefits for the Ecosystem: Various organizations use CNCF security tools and recommendations in their cloud native environment but do not have a well established method to create a report of the security coverage or identify gaps in their security implementations. This enables them to create compliance reports and serves as a starting point for assessing alignment to security best practices.

[brandtkeller]

Governance, Risk, and Compliance does feel like the most applicable category.

Finally, the talk provides examples on using OSCAL framework to automate such audits.

I'm still playing catch-up, but are these automations available, or are we discussing theoretical automation with OSCAL?

[schneiderj13]

LGTM.

I think when discussing controls I generally think of GRC as the Category Track.

[pratiklotia]

@brandtkeller no automations are available yet. The goal is to have a few examples ready before October.

[pratiklotia]

@schneiderj13 Makes sense, agree.

[ghost]

👍 for the GRC category.

Nits: Potentially replace CNS with Cloud Native Security (just spell out the acronym)

[JonZeolla]

@pratiklotia I agree with GRC

On the title, how about: Assessing environments against cloud native security best practices

That way we can cover things maybe outside of the cloud like VCS, pipelines, supply chain, etc. Maybe we use environments instead of cloud posture as well? Here's my minor abstract tweak:

Organizations are in need for a standard, sane way to perform an assessment of their cloud native environments. This talk provides insight on how security professionals as well as auditors can identify whether they are following the controls and practices suggested in CNCF published white papers. We will also provide examples on how we plan to develop open source automation to reduce the toil of audits and cross mapping to various frameworks and standards so builders can reduce toil and focus on making our environments safer.

[pratiklotia]

@JonZeolla Agree on updating the title. That sounds better. The tweaks for the abstract look good to me. I was hoping to somehow mention NIST 800-53v5 and OSCAL in the abstract as that will likely draw good attention from GRC audience.

Organizations are in need for a standard, sane way to perform an assessment of their cloud native environments. This talk provides insight on how security professionals as well as auditors can identify whether they are following the controls and practices suggested in CNCF published white papers and thereby adhering to NIST 800-53v5 controls.. We will also provide examples on how we plan to develop open source automation (such as OSCAL) to reduce the toil of audits; and cross mapping to various frameworks and standards so enable builders focus on making their environments safer.

[JonZeolla]

Submitted