 any further ado I am really psyched to have the TIA folks here and Jaya who has been working with TIA to talk about policy management and how they're leveraging that in their cloud security services our ADNA thank you very much for your patience with our process and everybody in the audience please take it away introduce yourselves and I will go off camera for now. Thank you Diane good afternoon all my name is the Radna Chital I am senior director execs of cloud security at TIA I'm also co-chair for CNCF tax security and cloud security alliance server last working group Jaya. Thank you Aradhana for joining this session. Hi everyone I'm Jaya Ramanathan I'm the chief security and governance architect within Red Hat and also a distinguished engineer my passion right now is policy based governance and policy management and such which is what we're going to talk about today. Go ahead Aradhana. Sure so let's step back and look at an enterprise today especially a regulated financial enterprise we have some traditional applications right every regulated entity or traditional enterprise has all those applications which have grown over time and then they have cloud platforms possibly multi-cloud every enterprises multi-cloud literally now and then there are efforts going on where you have to refactor your traditional applications into containers so you can increase the velocity of deployment at the same time there are challenges from a security and compliance perspective because you have all these different flavors of cloud platforms and container platforms and your traditional enterprise IT where the existing tools may not work in another cloud environment or may not work in a container platform so the the retooling of all the security controls etc is quite an amount of work and a challenge and then having security seamlessly deployed with consistent policies across your IT estate is another big challenge for enterprises today and let's talk about regulatory compliance and not only do we have internal auditors that is the second and third line of defense who are auditing our environments constantly and identifying any gaps or risks that we need to mitigate but then we have external entities like OCC and FRBV and all those entities who want to look at our platforms and making sure that we are meeting all the regulatory compliance that we need to meet so that was an overview of any any traditional financial organization or any regulated body and we are no different at TIAA so we are also multi-cloud we have leverage open-shift as our on-prem private cloud where we are using it as a playground for our developers to go ahead and refactor our enterprise applications into microservices so we can do digital transformation at the same time achieve the velocity of deployment right because financial applications they change very quickly to meet the customer needs so we need these applications to be microservices we today today it's a private cloud but we are looking to a future roadmap item where we will be hybrid open-shift cloud platform as well container platform so roughly we have about 42 clusters about 750 odd applications which are contained right now running in an open-shift platform the main features of open-shift that we are using are we recently migrated to 4.7 which provides CoraOS as the operating system and it can be deployed on bare metal so we wanted to get the cost efficiencies and that you can get with deployment on bare metal at the same time we wanted automation of configurations and policies that can be deployed on our container platform across the state and use Istio you know to build micro segmentation between applications as another layer of defense so we can reduce our attack surface and give developers the freedom to go do their development and explore changes within their own little micro segment so that that is pretty much a high level summary of what we use open-shift for today and what our journey has been for open-shift thank you over to you Jaya thank you Aradhana so I think as Aradhana highlighted right if you look at any customer who is adopting cloud they are typically moving toward a hybrid model and they also have to meet various enterprise standards both internal as well as external regulatory compliance and so on so then if you think about how customers are achieving these goals right they have to worry about every layer of the stack so they have to start at the operating system level then the container platform then the middleware then their applications and typically you know they have to make sure that all these layers are configured properly to meet their enterprise standards and external regulatory compliance requirements and also successfully pass audits so really if you think about a person who is managing this environment right the side reliability engineer or the ops person they are really not experts in every aspect of even security or resiliency or software engineering and if you consider all those aspects that a customer needs to think about they are not experts in everything right so the idea here is in order for them to really meet all these requirements and do it in a cost effective manner really what needs to happen is we need to make this easy for them using automation and tools right and and the way to make it easy is to codify those best practices policies and manage policies just like you'd manage source code so that's the whole premise behind policy based governance so from a red hat point of view this is an initiative that we have been pushing for a while and we have this capability available today as part of our red hat advanced cluster management for Kubernetes product offering it is also available in our red hat open shift plus bundle which bundles ACM and also includes advanced cluster security which is a recent acquisition of stack rocks which is now rebranded as ACS and quay so this policy based governance capability is available through these product offerings and I also have links here on various blogs we have on this topic as well as we also have a CNCF Sandpack project submitted for this as well that is slated to be reviewed in November this year so let me highlight a little bit about what are the key capabilities of policy based governance what are the things you need first if you think about any customer including TIA right they're not just managing one cluster they're typically managing multi cluster so really your policy management approach has to be multi cluster and if you look at some of the community policy engines that are out there like gatekeeper cover and so on they are single cluster engines which are very powerful in their own right but really what we want to do is to enable a multi cluster framework that allows you to shift policies to all those engines and manage them in a scalable manner secondly the policy framework has to be extensible because I don't think we are going to have one policy language policy engine agreed upon across the planet right so they're going to be multiple so you need a policy framework that can integrate multiple policy engines so that's very important and that's what we have in ACM and that allows you to integrate with both red hat and third party policy enforcement points and these policy enforcement points could be examples of the open shift compliance operator which comes as part of open shift ACS which is the Advanced Cluster Security Strat Cross product it could be you know third party vendors such as CISDAG and and also community technologies like you were known gatekeeper etc the third thing is as I mentioned earlier you need this policy based governance applied across the entire stack across all the controls so that definitely requires a collaborative development of best practices and policies so an upstream active extreme community is very important and we started one in the policy collection repo and one of the things we're also looking at in the Kubernetes policy workgroup that both Aradhana and I are part of is to bring that to that workgroup and you know foster more industry collaboration in that in their space so here's the overall architecture so you have the management hub this is the central multi cluster management hub that allows you to manage all the different managed clusters so policies get deployed here and the policies can be either authored through UI or CLI or GitOps GitOps is the preferred methodology because then you manage policies just like you might source code and then the policies get deployed to manage clusters based on a concept or placement the placement could be based on various criteria so you could say for example you could assign labels to your clusters for production and development and say you know apply all these policies to my dev clusters or all all these policies to my prod clusters or you could also have uh application of policies based on the type of cluster whether you know whether it's an open ship cluster running on amazon versus open ship cluster running on google etc so on the managed clusters you have various policy enforcement points and these um provide one or more controls and these technical controls then map to compliance standards as listed here so that's the whole idea here and then on the right hand side we are integrating with traditional enterprise um IT tools whether it is for instant management or enterprise governance system compliance tools or uh sims for security operation center so because like Arthur pointed out um customers are looking at adopting um container platforms as an extension to the existing IT infrastructure right so their existing IT infrastructure as well as IT processes and tools are things that you see on the right hand side and we want to make sure that as they adopt cloud they can easily integrate with those as well so i'm going to take a few minutes to just do a quick demo uh just to give you a flavor of how these things work so here is the console for the acm uh product and uh so you can see that the acm product provides various capabilities it provides cluster lifecycle which allows you to provision clusters as well as discover clusters and bring it uh into acm for management it has uh end to end visibility which is observability layer that allows you to monitor the performance characteristics compliance characteristics etc it has an application lifecycle that allows you to define applications and then deploy them across a set of clusters and also easily move up move pieces of the app as needed and it has this governance risk and compliance piece which is the one i'm going to focus on so in the governance uh compliance please when you go to this panel what you see here is at the top you see a summary view the summary view is based on the various standards so when you define a policy the acm you can say which standards it applies to and policy can apply to multiple standards both internal and external so that's what you're seeing here and then we have a set of policies defined here and you can see that we have policies for a wide variety of controls so we have policies to and for it's the encryption policies to deploy various enforcement points like gatekeeper the compliance operator as well as qerno and we also have policies that gatekeeper can enforce as well as qerno can enforce as well in addition we have policies for checking on certificate expiration for example etc now the open shift compliance operator which is a single cluster feature that comes as part of open shift allows you to specify various security profiles and you can it will then do checks on the managed cluster for those profiles so here is an example so cis is one security profile it supports and you can see that we have used acm to configure the compliance operator to this security profile and then it can return results which you can view centrally from acm and you can see that it returns back all for all the rules it checks the things that are not compliant it can return back those results the other thing I wanted to highlight here is when you look at the various policies they can be deployed either in enforce mode or in form mode enforce mode is basically the policy will drive the configuration to the desired state that is specified in the policy whereas in inform mode it is more an audit kind of mode where if the policy is not compliant it's just going to flag a violation so here as an example the certificate policy we have set it in inform mode so in that case when the violation occurs one of the things you can also do is you can configure automation so in this case this automation is specifying an ansible playbook and this ansible playbook is generating a slack notification so by doing this we are able to trigger notifications this is the in the architecture chart I showed you on the right hand side where we can integrate with enterprise processes so for policy violations now you can generate you can open tickets for example we also have integration with service now or you can generate a slack message this then allows you to action those things per the enterprise processes so this is what I refer to as automated governance so not only can you trigger automation to get to the desired configuration state for the controls by deploying policies in enforce mode you can also do the same thing using automation that you're defined with a policy in inform mode and that allows you to also ensure that you are complying to the enterprise id processes let me just quickly highlight one more thing and before I turn it back to Aradhana so one of the things you see here is the advanced managed cluster security as well as the advanced advanced cluster security operator these are the components of the advanced cluster security which is the stack rock acquisition so you can see that we can actually use ACM to actually deploy the stack rock central component as well as the stack rocks individual agents on the stack rock clusters and you can see that the cluster names here are exactly the same names that ACM knows about because ACM is basically determining the inventory and then it is ensuring that stack rocks is it placed on those clusters and so the as I mentioned earlier the open shift bundle open shift plus bundle includes ACM ACS it also includes quay and you can see here we also have integration with quay from ACM where we can use this policy the image manifest vulnerability policy to detect vulnerabilities from quay so so that's kind of a little demo and then let me conclude by showing you our GitHub so this is the policy collection repo where we have policies both in the stable and community folders and we also have a lot of blogs that you can go and read about back to you Aradhana can you hear me and Aradhana seems to have dropped so if you could go back to the slides Jaya sorry about that she's we've had some little technical snafus and you may have to talk through the slides for not sure whether she ran out of time because I know she's a very very busy person um so yeah I can definitely talk to this so the rest of the presentation we were planning to focus on the work that we are doing in the Kubernetes policy work group that both Aradhana and I are part of as well as a few others so this in this work group we are focused on two efforts in recent times one is this policy report custom resource definition so this is a standard that we have defined for returning policy violations and this is supported by multiple enforcement points such as the file cooperator the Q and O policy engine etc so this allows from a management point of view a standard way to be able to collate the results and then integrate with enterprise tools the second work piece of work that we are focused on is the Kubernetes policy management white paper and so we we had published it out there for review received a bunch of comments if i've incorporated all those comments and now we are ready to commit the papers so you can actually see it here um this is the policy management white paper um so that is another really good effort from this work group um and then the other thing I wanted to point out is that we have a policy management panel coming up tomorrow um in um in this conference in the conference that Aradhana and I will be part of as well as Jim and Robert as well uh please join us there uh so we can continue the discussion in terms of uh the what why and how policy management for Kubernetes Dan I don't know how much time I have at this point so at this point um we have hit the end of your half an hour um considering all of our wonderful snafus okay and technical things so we're going to ask our next speaker to join us um it was John Fortin and so um thank you Jaya and please um thank Aradhana for um for taking time today as well um if you can stay around in um hop in for a few minutes um Jaya um there may be some questions there and just um maybe add the links in hop in to um your events that are happening for the rest of the week of Kukan so if people want to join there um and come to those that will be great awesome sounds good thank you very much for the opportunity here thank you