Cloud Native Security Controls Catalog (Phase I)

[TheFoxAtWork]

Description: Creation of a granular cloud native security controls catalog that includes items from the CNSWP & SSCSP. First effort for Audit/GRC/reasoning Card on the Roadmap & planning for 2021-2022

Impact: This catalog may be leveraged by end users and the community to improve the auditability of cloud native architectures against regulatory compliance and industry best practices. The controls should be specific and actionable to engineers and not high level.

Scope: Current Scope is defined based on Monday May 31st Meeting:

As organizations seek to adopt more secure cloud native architectures, the Security TAG has provided a wealth of information to assist in their planning and design; the Cloud Native Security Whitepaper (CNSWP) & the Software Supply Chain Security Paper (SSCSP). This work intends to expand on that existing body of work to provide organizations with implementation information in the form of controls.

It is not the intent of the Security Tag to remap existing mapping matrices of regulatory and best practices controls and frameworks. Where mappings already exist, they are incorporated and referenced into the controls catalog and verification to provide a unified audit framework for organizations seeking to adopt modern security practices. It is not the intent of this effort to supercede existing industry accepted frameworks and assessment languages. It is designed to complement and incorporate or leverage what is currently available.

Future Scope - The following items would be potentially in scope of this large project and may likely need to be broken into separate areas:

• Mapping to existing frameworks and regulations (CSA, NIST, FedRamp, SOX, GDPR, etc.)
• Conversion to machine readable format (OSCAL, JSON, etc.)
• Inclusion of tests to validate/verify (both process and technical tests as appropriate)
• Application to security reviews to improve consistency of CNCF Security TAG reviews

TO DO

• [X] STAG leader sponsor - @achetal01

• [X] Project Lead(s) @JonZeolla

• [X] Project Members: @chasemp , @achetal01 , @pratiklotia , @fkautz , @harrysk, @alexbarbato & @chughes29

• [X] Scope

• [X] Deliverable - Initial Catalog

• [X] schedule

• [X] Channel: #tag-security-controls

• [X] meeting time - bi- weekly Wednesdays(2/16/22), 6p ET/3p PT

• [X] ongoing notes

• [X] Meeting Hangouts Link

[chasemp]

👍

This seems like some of the most practical output the group could create. I am interested in being part of this effort. Small thought that maybe mapping to CSA CCM 4.0 is an option as it's meant to map to existing frameworks already.

[lumjjb]

Application to security reviews to improve consistency of CNCF Security TAG reviews

i'm not sure quite clear where this bullet fits in here..

Want to make a clarification on this, is this a catalog of resources that will assists in the mapping or is the scope to do the actual mapping itself? My concern is that a lot of the mapping is already done by companies and vendors, and really it is a full time job of multiple teams, so just want to make sure we appropriately scope this.

[chughes29]

That's a great idea, and presents a situation where organizations can attest to adhering to the best-practices guidance, tied to specific control identifiers.

I would be interested in helping with this activity, and I think it would make both the CNSWP & SSCSP more actionable and tangible to those within the security community, by tying it to frameworks they are both familiar with and regularly utilize. It would likely amplify the use/reference of CNSWP and SSCSP within the industry.

[TheFoxAtWork]

Want to make a clarification on this, is this a catalog of resources that will assists in the mapping or is the scope to do the actual mapping itself?

Several existing commercial and non-commercial mappings to CSF/NIST/GDPR/SOX, etc. exist. Many of the controls in those frameworks are high level. And lack granularity to cloud native practices and models. This is not an attempt to remap them. But to establish a specific, granular catalog of cloud native security controls that relate to those existing mappings.

Example: NIST 800-53 SA-10 Developer configuration management is too broad and too general. One control in the CNSWP related to this (and other controls) of actionable granularity is "Test suites follow the test pyramid" and "Test suites are updated against new and emerging threats and developed into security regressions tests"

Application to security reviews to improve consistency of CNCF Security TAG reviews

As a potential opportunity, some items recommended in either CNSWP or SSCSP could be integrated into the existing security reviews process to provide more structure to the manner by which reviews are performed (specific things to look for)

[alexbarbato]

Love this!

Inclusion of tests to validate/verify (both process and technical tests as appropriate)

I'm curious for thoughts on how #496 ties in here. The traffic on #496 seems to imply that there are tools to do the security scanning for CNCF projects, but coupling that here with mappings to various control sets like NIST would be sooo huge.

I'd be very happy to help contribute to the automated mappings/outputs

[TheFoxAtWork]

496 definitely ties in here.

This is on the Agenda for discussion Wednesday May 26th. if you can make it great! I have an initial control catalog here: https://github.com/TheFoxAtWork/tag-security/tree/cns-control-catalog/cns-implementations

[achetal01]

I would like to contribute to this effort. Thank you

[pratiklotia]

I would like to contribute as well. Thanks.

[fkautz]

Please include me on these conversations. Thank you.

[TheFoxAtWork]

@alexbarbato please be sure to join the slack workspace so we can collab on this: https://cloud-native.slack.com/archives/CDJ7MLT8S (didnt see you to tag you in the thread)

[alexbarbato]

Coordination convo tomorrow for anyone interested 😄

Details here: https://docs.google.com/document/d/10eY_ICglcI5HxYFwUNpEW9Zk_HLoVbYex7OCNraAKe0/edit?usp=sharing

[Harrysk]

I would like to contribute to this. Please count me in.

Thanks.

Best Regards, Hari.

On 30. May 2021, at 20:28, Alex Barbato @.***> wrote:



Coordination convo tomorrow for anyone interested 😄

Details here: https://docs.google.com/document/d/10eY_ICglcI5HxYFwUNpEW9Zk_HLoVbYex7OCNraAKe0/edit?usp=sharing

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/cncf/tag-security/issues/635#issuecomment-851041485, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AD7X7JLCDNN5XYNNI26PBLDTQJ7VNANCNFSM45CY2NFA.

[achetal01]

I will like to contribute to this effort as well. Also agree with Emily we need to provide granular guidance on controls and specific details are important. High Level , generic set of controls leave it for interpretation by individuals.

Thank you

[magnologan]

Just an FYI that today is a holiday in the US and UK (Memorial Day and Spring Bank Holiday respectively) so a lot of people interested may not be able to participate.

[alexbarbato]

No worries. There will be more opportunities for people to participate in the future!

[alexbarbato]

Had a great meeting tonight with @chughes29, @pratiklotia, @fkautz, and myself where we spoke about scope and way forward. Meeting notes and most all async collaboration exists in this google doc until something is PR'able - https://docs.google.com/document/d/10eY_ICglcI5HxYFwUNpEW9Zk_HLoVbYex7OCNraAKe0/edit#

NOTE: Most of the wording below is heavily stolen from @TheFoxAtWork's initial pass - https://github.com/TheFoxAtWork/tag-security/tree/cns-control-catalog/cns-implementations

Scope

As organizations seek to adopt more secure cloud native architectures, the Security TAG has provided a wealth of information to assist in their planning and design; the Cloud Native Security Whitepaper (CNSWP) & the Software Supply Chain Security Paper (SSCSP). This work intends to expand on that existing body of work to provide organizations with implementation information in the form of controls.

It is not the intent of the Security Tag to remap existing mapping matrices of regulatory and best practices controls and frameworks. Where mappings already exist, they are incorporated and referenced into the controls catalog and verification to provide a unified audit framework for organizations seeking to adopt modern security practices. It is not the intent of this effort to supercede existing industry accepted frameworks and assessment languages. It is designed to complement and incorporate or leverage what is currently available.

The biggest thing to note about our scope here is that we would like to de prioritize everything, but making the initial controls list for now. All of the other proposed in scope items seem massively valuable, but we want to try to tackle the smallest slice possible

Deliverables

Short term: (1 week)

• @chughes29 - Gather a list of all in scope documents to generate controls from (i.e. is it more than the two that @TheFoxAtWork has referenced in her example?)
• @alexbarbato - Iterate on the taxonomy that @TheFoxAtWork has in her example for these controls. Present for feedback and make sure we feel good.

Long term:

• Cloud Native Security Controls Catalog

Meetings / Going forward

Mondays at 8PM EST for a month (Zoom in google doc)

TODO	Milestone	Estimated time
* [X]	Audience, Goals, & refining scope	1 week
* [ ]	Tasking Assignment	1 week
* [ ]	Content Rough-in	2-3 weeks
* [ ]	Collaborative Review	2 weeks
* [ ]	Executive Summary and content wrap up	2 weeks
* [ ]	Narrative Voice	1-2 weeks
* [ ]	Final Group Review	1 week
* [ ]	Community Review	2 weeks
* [ ]	Public comment adjudication	2 weeks (simultaneous with review)
* [ ]	CNCF publishing engagement	~2-3 weeks
* [ ]	Addition to the repo	2 weeks
* [ ]	Blog post and publishing coordination	2-3 weeks

Ideally we will be through the heavy lifting in June of getting the catalog together and start to potentially looking at all the other proposed scope items!

Please don't hesitate to reach out with any comments, questions, concerns, or words of advice.

[pragashj]

This is an awesome effort team! Nice work pulling this in @alexbarbato! Few suggestions: As @lumjjb pointed out, keeping scope is going to be important. I would also recommend in this case "maintainer(s)" for the artifact, as things around the mapping will get stale real fast and/or new controls come up. One other thing to reduce staleness and improve adoption of this effort is to map this to landscape effort by Brandon, as some of these will be done as tooling in which case the maintenance burden is offloaded.

[alexbarbato]

I've added a new "Controls Catalog" -> "Schema" section with an attempt to make a schema by which we can make the initial controls catalog and evolve.

It is heavily inspired from @TheFoxAtWork's initial pass and I've tried to be quite opinionated so as to give people something to react to!

Please leave feedback in the form of comments or suggestions in the Google Doc. In the case that I've botched the sharing, please just @ me and I'll try to fix!

Thanks so much for everyone's feedback here :D

[alexbarbato]

Had another meeting tonight, thanks those that attended!

Updates -

• Draft control set targeted for 15 July
• Goals for next week:
  • Review any feedback on the schema (Please review if you're interested and haven't already checked them out in the google doc)
  • @chughes29, @alexbarbato, @fkautz, @pratiklotia, and anyone else interested to have an opinion on which papers (and segments?) they'd like to scour for controls so we can de-dupe with Emily's existing controls catalog draft/expand upon
  • @alexbarbato to have added a google sheet with the schema and @TheFoxAtWork's initial pass ported and mapped in

[aks-alokraj]

I would like to contribute to this.

[knowlengr]

I am interested and can help with use cases for support of audit, assurance (because it's also "continuous") and metadata flow. Also potential parallel thread with OSCAL.

[rficcaglia]

I am interested and can help with use cases for support of audit, assurance (because it's also "continuous") and metadata flow. Also potential parallel thread with OSCAL.

@knowlengr see ongoing OSCAL alignment (narrowly scoped to k8s)

[JonZeolla]

Am I too late to join the project team? Looking to contribute and the existing meeting time works well for me

[alexbarbato]

@ak-secops @knowlengr @JonZeolla - Thanks for wanting to help! You're definitely not too late and we meet Monday nights at 8PM EST

For now, we are reviewing the initial schema for generating the initial controls list. Can be found here

Also, hopefully we aren't doing anything in parallel to OSCAL as it's not at all off the table that we actually convert our initial controls list to the OSCAL schema!

[alexbarbato]

Another update: Schema finalized in the google doc. I'll make a Google Sheet for people to collaborate on the initial control set from (I'll port over Emily's existing work) - I plan to have this done tomorrow (June 15)

From there, people should feel free to review whichever STAG paper they'd like and start adding controls per the schema + comment/review as desired.

Goal is to have an initial internal draft done by end of June to prepare for a more formal draft in mid-July.

[alexbarbato]

I've created the initial controls list port (very poorly done, but it's a start). I've got the Google Sheet set up and will send to the contributors that have hopped in so far.

DM me on Slack please if you'd like the link :)

[BNFTYNick]

I'd like to contribute

[alexbarbato]

Meeting recap!

Next week (Jun 28) we will discuss how we might want to iterate on this initial controls list. (Mappings? More specificity? etc.) This week, big item is to review the controls from both papers that @TheFoxAtWork has so graciously worked on and add/edit any that may have been missed.

[TheFoxAtWork]

Folks - due to time constraints and commitments, Chris and Alex will be taking a back seat and Jon has volunteered to step in as project lead to continue this. Thanks everyone!

[gcblana]

Hello! I'm Greg Blana, and I would like to participate and contribute in this activity.

[JonZeolla]

Hi @gcblana, welcome! Please jump into the #tag-security-controls channel on the CNCF slack (you can invite yourself here if needed); I am planning to send out a poll soon to revitalize this project.

@TheFoxAtWork can you please add @ak-secops, @knowlengr, and @gcblana to the project members? Thanks!

[JonZeolla]

@TheFoxAtWork can you update the meeting link above to be https://meet.google.com/qyi-vmey-fvi and meeting time to Tuesdays, 6p ET/3p PT? Thanks!

CC: @chasemp, @achetal01, @pratiklotia, @fkautz, @Harrysk, @alexbarbato, @chughes29, @ak-secops, @knowlengr, and @gcblana

[TheFoxAtWork]

@achetal01 you've been doing more on this. Do you want to take on STAG rep for this or remain as contributor? either is fine just wanted to checkin with you.

[achetal01]

Emily, Sure happy to run with it. Thank you Emily.

[JonZeolla]

@TheFoxAtWork can you please update the Meeting Hangouts Link to https://meet.google.com/gqv-hfuw-von and meeting time to Wednesdays at 6pm Eastern please? Thanks!

[JonZeolla]

@achetal01 / @TheFoxAtWork can you please update the Meeting Hangouts Link to https://meet.google.com/gqv-hfuw-von and meeting time to Wednesdays at 6pm Eastern please? Thanks!

[TheFoxAtWork]

From discussion with CSA 12/10/2021 - we'd like to share the existing controls we've been working on with CSA to potentially assist in CCM v.x but also provide implementation specific information unique to the cloud native space.

Further - this working group should document the decisions and intent behind how we are reasoning the controls and implementation to better assist users of the controls as to why we have done things, but also to assist potential collaborative groups with reviewing our content.

CC @achetal01 @lumjjb @johnyeoh

[achetal01]

Jon and Security Controls WG Members

Hello

I will schedule a Joint meeting with CSA CCM team for Security controls WG to have an initial discussion in January...We can have an exchange of ideas and then define goals for this joint effort as well and logistics etc.

Hopefully we will have the MOU in place by then.

Thank You.

CC @JonZeolla @johnyeoh @TheFoxAtWork @lumjjb

[achetal01]

We had a discussion around this project in Chairs meeting today. We discussed that Goal is to complete these current mappings to the Cloud Native security white paper and close this project and issue.

For Phase 2 , I m creating a new Issue, we will get started on mapping the controls after this issue is closed.

Thank you

[achetal01]

The New Issue for Phase II is #845

[JonZeolla]

@TheFoxAtWork We moved to biweekly Wednesday meetings; next meeting is Feb 16. Can you please update the original post, including the below new Google meet link? Thanks!

https://meet.google.com/kae-zxdz-nom

[JonZeolla]

Project update: We have an initial listing of controls here from v1 of the Software Supply Chain Security Paper and v1 of the Cloud Native Security Whitepaper, including a partial NIST SP800-53r5 mapping, and implementation details.

We are working through the final implementation details/context to add to the spreadsheet and the 800-53 mapping. When that is complete, Phase 1/this issue should be ready for TAG-Security review.

[JonZeolla]

@achetal01 @lumjjb @TheFoxAtWork this is nearly ready for review from the rest of Security TAG (expected this week). I won't be able to attend the Security TAG meeting tomorrow, so I was wondering if there's a process to make that review request? I am going to post in #tag-security-controls to see if any of the other team members will be at the meeting tomorrow and can provide a verbal update there as well.