Automated Governance Reference Architecture

[anvega]

The CNCF TAG Security group has made significant strides in guiding the community towards secure software practices with the Secure Software Factory Reference Architecture Paper. Building on this foundation, I propose the creation of an Automated Governance Reference Architecture. This initiative aims to provide comprehensive guidelines and best practices for implementing automated governance processes within cloud native environments. It will focus on integrating security, compliance, and auditability into CI/CD pipelines, offering a clear pathway to automate and operationalize governance and compliance engineering practices.

This proposal, once materialized, will benefit organizations striving to maintain governance and compliance in fast-paced, highly regulated environments such as those in governmental, financial, and medical sectors. It will aid cloud architects, security professionals, and platform teams in implementing automated governance mechanisms that are both efficient and secure. This will streamline compliance processes and enhance the overall security posture of cloud native applications, benefiting a wide range of stakeholders.

This project's scope is currently broad and will be refined based on community input. It may involve:

• Research and analysis of current automated governance practices.
• Development of a comprehensive reference architecture.
• Creation of best practice guidelines and documentation.
• Potential development of tooling or integration patterns for common CI/CD platforms.

Effort estimation is "not yet determined" and will depend on the collaborative input and agreement from the community.

Intent to lead:

• [X] I volunteer to be a project lead on this proposal if the community is interested in pursuing this work. I want to invite others who have contributed to my understanding of this domain. Their expertise and insights would be valuable in steering this work to success. I want to ask the following individuals should they be interested in co-leading or supporting this initiative:

• @matthewflannery

• @anners

• @zeal-somani

• @medenzon

• @crenshaw-dev

• [X] Raised in a Security TAG meeting to determine interest - 12/20

• [X] Collaborators comment on the issue to determine interest

TO DO

• [X] Security TAG Leadership Representative: @anvega
• [X] Project leader(s): @anvega @anners @matthewflannery @crenshaw-dev @zeal-somani
• [X] Issue is assigned to project leaders and Security TAG Leadership Representative
• [X] Project Members: @crenshaw-dev @anvega @anners @matthewflannery @JustinCappos @cqueern @edp1337 @zeal-somani @JonZeolla @justinleapline @drrt
• [X] Scope: As detailed in the initial description. Specifics to be further defined by the working group.
• [X] Deliverable: A comprehensive reference architecture paper.
• [X] Project Schedule: Bi-weekly meetings with asynchronous work during the off-weeks. Target completion in the first half of 2024, subject to reassessment as needed.
• [X] Slack Channel: #automated-governance
• [X] Meeting Time & Day: Tuesdays at 4 PM (UTC-8 - US West Coast) / Wednesdays at 11 AM (UTC+11 - Sydney), starting from January 9 (US) and January 10 (Australia).
• [X] Meeting Notes
• [X] Meeting Details: Google Meet
• [ ] Retrospective

[crenshaw-dev]

I think this reference architecture would be really helpful for a lot of orgs. Intuit has built a lot of automated security tooling in our cloud-native environments. A reference architecture would provide us a great place to compare and find areas we might be missing extra layers of security or where we could adopt newer/better patterns.

And just thinking back to previous employers in highly-regulated spaces, smaller orgs than Intuit: this would really help them get their initial cloud-native setup pieced together. The landscape can be intimidating if there's no clear model to mimic.

[knowlengr]

If undertaken, this work should identify potential overlap with NIST OSCAL https://pages.nist.gov/OSCAL/ and commercial related products like Regscale https://regscale.com/.

-Mark

On Wed, Dec 20, 2023 at 3:49 PM Michael Crenshaw @.***> wrote:

I think this reference architecture would be really helpful for a lot of orgs. Intuit has built a lot of automated security tooling in our cloud-native environments. A reference architecture would provide us a great place to compare and find areas we might be missing extra layers of security or where we could adopt newer/better patterns.

And just thinking back to previous employers in highly-regulated spaces, smaller orgs than Intuit: this would really help them get their initial cloud-native setup pieced together. The landscape can be intimidating if there's no clear model to mimic.

— Reply to this email directly, view it on GitHub https://github.com/cncf/tag-security/issues/1209#issuecomment-1865120568, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABG5HAPWPQSSDO7WEQFEAWTYKNFPNAVCNFSM6AAAAABA5KJ6IKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNRVGEZDANJWHA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

--

Mark Underwood knowlengr.com http://www.knowlengr.com @knowlengr https://twitter.com/knowlengr @darkviolin https://twitter.com/darkviolin

[JustinCappos]

FYI: @mlieberman85

Sounds interesting to me. I'm wondering if at some level we want to collect all of this work under a single framework.

[anners]

LGTM - anything less complicated than oscal is 💯

[matthewflannery]

More than happy to co lead / contribute to this amazing initiative, after talking with Andres this very closely aligns with what we are looking to achieve. Agreed on the OSCAL comment :)

The existing reference architectures such as SSF have been pivotal in helping organisations understand what's available and possible, and as this is a particularly emerging space bringing the amazing people of tag-sec together on this will be highly beneficial to industry and government.

[cqueern]

Interested, look forward to supporting.

[edp1337]

I would like to participate in this project.

[JonZeolla]

I am definitely in :)

[zeal-somani]

This is great. Would be good to have FINOS CCC poced here

[justinleapline]

I would love to help out with this!

[anvega]

Welcome @cqueern @JonZeolla @edp1337 @justinleapline!

Absolutely, @zeal-somani! In fact, we discussed this idea yesterday with @mindthegab, who is very supportive of this as a cross-foundation collaboration between CNCF and FINOS. Based on that discussion, it seems like a good next step to bring this to the attention of @robmoffat for coordination and having a liaison.

[anvega]

It's great to see we already have a group of 10 people, and I'm expecting more interested participants to join us soon. To get things started, our initial meeting is scheduled for January 9 (US) and January 10 (Australia), and we plan to meet biweekly at 4 PM (UTC-8 - US West Coast) / 11 AM (UTC+11 - Sydney) on Wednesdays, with asynchronous work in between.

Additionally, we're considering scheduling supplementary touchpoints at times more convenient for our US East Coast and EMEA contributors. These will complement our primary biweekly meetings.

[jkjell]

If we're expecting more folks to join, would it make sense to wait a bit, and survey the contributors for a time that works for the majority?

[jkjell]

Had a chat with @anvega and it sounds like most of the lead folks are west coast US and Australia. It's awesome to have such an international crowd willing to help out. ❤️ 🌏 I'm up for the async work and if there's enough folks in EMEA or east coast US to help coordinate that meeting. Can't wait to learn more from everyone!

[fkautz]

This sounds like it can be very useful. Would love to help with this effort.

[AbiDabi123]

I would love to participate in this project.

[eddie-knight]

There appears to be a large degree of overlap in vision between this and Common Cloud Controls, though perhaps variation in implementation details.

The specific areas of overlap are:

integrating security, compliance, and auditability into CI/CD pipelines, offering a clear pathway to automate and operationalize governance and compliance engineering practices

The CCC project has a focus on financial service regulations, but the processes are generalized, and the work being done there will likely streamline many of the future discussions here. Early collaboration should be strongly considered.

[anvega]

There appears to be a large degree of overlap in vision between this and Common Cloud Controls, though perhaps variation in implementation details.

The specific areas of overlap are:

integrating security, compliance, and auditability into CI/CD pipelines, offering a clear pathway to automate and operationalize governance and compliance engineering practices

The CCC project has a focus on financial service regulations, but the processes are generalized, and the work being done there will likely streamline many of the future discussions here. Early collaboration should be strongly considered.

Thank you for highlighting the Common Cloud Controls project. While there may seem to be similarities in vision, particularly in integrating programmability into compliance and auditability, our Automated Governance Reference Architecture project has a different emphasis.

The CCC project is indeed valuable, especially with its focus on financial service regulations and common cloud provider services. However, our project extends beyond the scope of cloud provider-native tools the like of AWS CodePipeline, GCP Cloud Build, or Azure DevOps. These are a small subset in the ecosystem and scope of Automated CI/CD Governance. We're looking at a broader range of CI/CD tools extensively used in regulated industries, including popular CI/CD tooling like GitHub, GitLab, and Jenkins, among others.

Furthermore, our approach encompasses a variety of additional tooling aspects like artifact repositories, metadata stores, transparency ledgers, and code scanning and analysis, many of which are open source and not limited to native cloud services of major providers or proprietary solutions.

That being said, I agree that both projects can progress independently while benefiting from shared knowledge and insights. Although the specifics of broader service catalogs not directly related to CI/CD might not directly streamline CI/CD governance discussions, collaboration and information exchange between our groups could still be highly beneficial, enriching both endeavors.

[eddie-knight]

Thanks for clarifying @anvega (and for the offline discussion as well). While CCC is focused on capturing cloud taxonomies and building new tools to validate infrastructure compliance, this project appears to be focused more toward capturing the current best practices for change management hygiene.

[anvega]

Thanks for summing it up so well.

The goal of this Automated Governance project is to identify existing best practices for change management in CI/CD, explicitly addressing the challenges of Change Advisory Boards in regulated environments. As a reference architecture, our focus is on established and real-world tested approaches and frameworks. While we might pinpoint gaps that new, under-development tooling could fill, our primary aim is to document and advocate for proven strategies.

[achetal01]

Interested. Please include me

[brandtkeller]

Interested in participating!

[anvega]

Hey all, ahead of the the kickoff meeting tomorrow, I started a Google Doc to capture meeting notes. I've also set up a Google Meet. Will file a ticket to add the calendar invite to the TAG calendar.

Please remember to add yourselves to the #automated-governance slack channel.

[anvega]

Meeting link for today:

Join Zoom Meeting ID: 96881265658 Passcode: 490585

[anvega]

Working draft: https://docs.google.com/document/d/14pV0ooE40yuo0u_CH-OeWS8lZgMBfxo8F38QRIaKUXY/edit

[anvega]

We have established the initial content and framework for the document.

The document is divided into two major sections. The first two-thirds primarily consist of prose, presenting and advocating for a standards-based reference architecture built on open-source components. The final third, which I anticipate will expand to surpass the other sections by getting more into details, is currently dedicated to proposed patterns. It's this latter section where I'd like to direct most of your attention to help in produce the actual design of the architecture. All sections contain seed text at this stage, but again I expect the technical specification section to be more elaborated at a low level and have new components added to it.

For those of you contributing extensive viewpoints and perspectives to the initial sections, the necessary structure is in place. Following the model set by @JustinCappos in Open and Secure, if you wish to express your thoughts in your unique voice, please do so in commentary boxes located at appropriate points throughout the document. Echoing Justin’s sentiment from then, we are seeking politely opinionated insights from experts in our community who have relevant expertise. Depending on their length, we might also consider an appendix of ‘biographical stories' section to further explore each contributor's journey/stance on the subject.

I anticipate a commitment of about 6-12 hours of writing from each contributor to draft their respective parts they take on. As a group, we will then review what we have, identify any gaps, and decide on the next steps, including what to add, revise, or refine.

While we might propose minor edits to others' contributions for the sake of brevity, clarity, or tone, our goal is to let the diverse voices of our community shine through. So, please share your insights and expertise in the relevant sections to help enhance the document.

Specific areas where key contributions are sought include:

• Patterns
• Object model (tentative)
• API specifications
• Normalization of data from various sources
• Formatting of exported data for reporting processes
• Defining all the above constructs as proposed standards (tentative)

Thanks to @matthewflannery and @anners for being the first to review and @brandtkeller for taking the initiative to plow at it. 🚀

[anvega]

New meeting link using the CNCF zoom account for upcoming calls:

Time: Feb 6, 2024 04:00 PM Pacific Time (US and Canada) Every 2 weeks on Tue, until Apr 30, 2024, 7 occurrence(s) Feb 6, 2024 04:00 PM Feb 20, 2024 04:00 PM Mar 5, 2024 04:00 PM Mar 19, 2024 04:00 PM Apr 2, 2024 04:00 PM Apr 16, 2024 04:00 PM Apr 30, 2024 04:00 PM Please download and import the following iCalendar (.ics) files to your calendar system. Weekly: https://zoom.us/meeting/tJUtduGoqz4qGddkUvgs3jVjzUEY6Y8MEcT6/ics?icsToken=98tyKuCprjoiGtGQsBqERowcAoj4WfTwmCVfjadZlyrzBDMAaDX8LNdnC-RGSPX1

Join Zoom Meeting https://zoom.us/j/91018055033

Meeting ID: 910 1805 5033

[matthewflannery]

Nice work everyone in the doc so far. Shaping up nicely.

[anvega]

This is a formal workgroup now with the respective assets under community/automated-governance. Will track progress there.