 Hello everybody, welcome to our talk on Assessing environments against cloud native security best practices We are going to be talking about some work that Pratik and I have both done in the CNCF tag security group Called the cloud native security controls project So really quickly who are we so I'm there on the right. My name is John Zola I am the CTO and co-founder of a company called CISO We do security consulting stuff and I'm based out of Pittsburgh, Pennsylvania I'm a huge fan of open source and that's why I took up leading the controls project It's kind of the short term for the cloud native security controls catalog I just can consider that the controls project and I'm also a sands instructor So I do some instruction on cloud native and DevOps things Myself Pratik Ljotiya. I'm a cloud security engineer at reddit I'm helping to keep the deployment secure at reddit from a cloud and Kubernetes perspective I'm based out of Denver right near the mountains do a lot of hiking there and Again, I'm a big fan of open source as well and I do contribute to several projects within the CNCF ecosystem I Also run the local CSA Colorado chapter with the cloud security Alliance where we do monthly meet-ups on talks various technical sessions So if you're based in Colorado, please hit me up after this This is a quick look at the things that we'll be talking in the talk today This is the agenda. We'll be dividing this into two phases Phase one is the work which has been already accomplished and completed And the phase two is the work in progress and a road map looking forward So can I do a quick show of hands? How many of you are in the infosec security side of the role a Few and then how many of you are on the compliance and the auditing side a couple. Yeah so You know a lot of us since CNCF tax security started Since everyone has been doing Kubernetes security we've been trying to accomplish a lot of best practices and Coming up with what's the best way to secure our ecosystem the biggest challenge here is how do we convince our auditors and The compliance team that hey, we are actually following the right set of controls and our system is compliant to the security best practices Interestingly, you know ever since tax security Started, you know, we've come up with a lot of white papers and reference architectures as a community So we have like the cloud native security white paper. We have the software supply chain white paper the serverless architecture white paper and We keep getting questions on that. Hey Our you know, we've we are somewhere here in the journey to securing our Kubernetes workloads and Now our compliance team is throwing a lot of buzzwords at us, you know ISO to the ISO 27001 SOC to FedRAMP high-trust PCI and they're asking us to reports on whether our Kubernetes A setup is compliant to that and the challenges, you know These frameworks the language is Challenging and difficult to understand for traditional security engineers and we don't know how best to answer their Answer the compliance team on whether we are following the guidelines and and whether our system is compliant or not so with that, you know, we have the CNCF controls working group where We have a set of goals that you know, we started with To accomplish based on the problems that we've been seeing around this The main idea here is that we want to be assessing the existing controls in the cloud native security space and come up with a standard and unified audit framework which allows Which allows engineers to map their their security architecture to the existing Well established established standards and you know output it in like machine readable format so it can be optimized as well In terms of phase one We have like a standard set of controls mapped out ready and we have mapped it to the NIST 853 standards So, you know the typical old meme where we say hey We have a set of kind of controls and standards, but we need one more like Universal standard which covers all so it's like hey now we have 15 competing standards So that is not Something that we try to do we have not come up with like yet another standard What we've done is we've taken the existing standards Available within the cloud native security Ecosystem such as the security white paper and the supply chain security white paper These are the two major white papers that we've targeted around and the idea is to be a lot of this white papers are in terms of Paragraphs and a lot of information on what you should be doing So the idea is to be providing this in terms of a checklist along with a Categorization of where exactly this fits in your deployment So with the existing work that has already been completed We have a set of roughly 200 controls from these two white papers And this is now available in Excel format You know the format are most of our compliance and all the team loves them as well as the markdown format and each of these controls have a Assurance level and a risk category defined This helps you to prioritize which controls you want to be targeting first And then along with the set of controls we have provided some guidance around the implementation as well so say for example Secrets should not be stored in you know certain Kubernetes resources then the guidance is okay This is what you should be using other you should be using the cool Kubernetes secret objects or More importantly using something like a secrets manager for better security So this is sorry yeah, so this is what the mapping looks like We have the controls defined in terms of categorization whether they fall under like storage Deploy time runtime Securing the artifact itself and they provide details on which white paper they've originated from and what exactly is the control being defined And then the second part there is mapping to the 853 controls so each control in the white paper has been mapped to a set of controls within the NIST framework With details on like you know exact identifier like cm2 si 7 So that compliance and audit team can easily identify which control is being met and which NIST control is actually being met by a security control The idea is to be mapping this to you know a lot more Standards as well, and we are definitely looking for more people to join us Or if you have feedback on the existing work done Then please find us later, and we'd be happy to have you in the working group so that We can have your expertise to map this controls to a lot more frameworks With that John for the face to yeah, thanks pretty so what pretty close talking about was what we've done so far Right what we've done so far is take those white papers and distill it down into a list of about 200 things Did a little cross mapping a little implementation guidance things like that, and that's great That's really just a start so what we have done recently is kicked off phase two of this project Which we expect to take much longer to accomplish and may not ever be finished And we have a kind of a goal statement for this new phase Right we're trying to assess the control status of cloud native environments and share the output and machine readable formats So that means we are looking to automatically perform assessments of runtime environments or To assess the evidence that might have been collected during a build process or things like that and Identify whether or not you are doing things that are recommended in these white papers and The real goal is to make compliance toil at companies that use this framework kind of look like that Right toil is one of my favorite terms, and I use it a lot No nobody want it's not a positive term right it's not a thing that we want to be doing we don't want to toil Right, and so we know that there will be ups and downs there'll be spikes you have an audit You might have some additional toil some paperwork some bureaucracy you might have to do that will always exist But our goal is to kind of reestablish a new baseline towards the bottom there, right? So we want to get compliance toil down to a more manageable level and At the same time improve our security observability of these environments So as we're automating these different bits of evidence Session and reports that we can do we want to know about our environments better We want to actually make the security posture of the companies where we're doing this better And so how do we get compliant the toil related to compliance down and the observability about your security environment up? well, that is by Assessing these controls in your environment and then sharing that I'll put in a machine readable format so we can map together so That's a lot and so we tried to narrow down the scope of this project And I don't think we succeeded because our scope is currently all of the CNCF projects So that's fairly broad right there are a lot of different ways that we're going to be looking at Implementing this and we're in the very early stages of that. This is what our project looks like right now We manage everything in open as you can expect for a CNCF tag group to do we have some things done some things in progress and Something still to do we have a lot of design work ahead of us and implementation Our goal is to begin doing a few different proof of concepts of this assessment and build on the shoulders of others and to also Collaborate with other projects are lots of projects within the CNCF that are doing different levels of this sort of an assessment And then there are projects outside of the CNCF which are assessing CNCF projects for this sort of a work Our goal is not to reinvent the wheel. We want to go to where that work is happening and improve it and make it better That will likely Result in us pushing some of our changes upstream into different frameworks those frameworks could be other tools It could actually be other compliance frameworks themselves So working where if you can see you probably can't see that but on there There's things like collaborate with the CIS collaborate with CSA collaborate with NIST There's a lot of different collaborations that we're doing on the what the benchmarks and the frameworks themselves to continually make those better as Well as assessing these runtime tools these CNCF projects at runtime for Compliance or evidence or things along those lines So that's pretty much the story. That's where we're going Here is our call to action So if you are interested in collaborating and doing any of this sort of work I'd suggest going to the CNCF tag security issue 845. That is where we are tracking all of this phase to work There's everything you need to know in that issue regarding when we meet how we meet we meet on a standard zoom chat We have a Channel in the CNCF slack tag security controls So feel free to jump in that and ask any questions that you have And there is a talk that I wanted to give a shout out to that is going to be happening on Thursday at 11 a.m This is if anyone has anyone heard of guac This was just kind of released. All right. Yeah, just a couple. This was just kind of released I think Google did a blog post on it recently and there's been a few others It's a it's another tool one of the collaborations that we have and something that we see as a potential place to identify Whether the evidence collected is the evidence required for an environment and if people are following these best practices So definitely check that talk out. It's going to be interesting and they're gonna have a lot more than 10 minutes to talk with you All about that project That's it for this lightning talk. Were there any questions from the group? Yeah, can I get a microphone up here? Thank you. Hello Thank you for this talk. I think this is the work that you both are doing is very relevant to the work that We have also been doing in the policy work group Because what we did last year, this is the community's policy work group is we published a white paper on policy management and you know, how you represent best practices as policies and Get to a more desired configuration state, etc Right and then this year what we have started embarking on is how do you apply that to achieve business goals such as regulatory compliance, right? So I think that intersects very well with what you are doing So we should definitely chat So we have a maintainer track On Thursday where we are actually going to be talking about our thoughts on how to apply that to compliance, so So let's collaborate. I think that's all I'm saying. Yeah, that sounds great 100% Yeah, we've been finding as we talk more about this There's a lot of people working on this and I'm not interested in 15 new solutions to this one problem I would much rather have everybody kind of piling on in one area kind of like we did with Kubernetes Lots of people collaborating and making Kubernetes better. Let's make this this solving this problem So are you are you doing this in the context of any specific work group or any? Tag security Yeah, so at the CNCF level kind of broader because the policy work group is a sub Yeah, it's under the severe the same groups. Okay, so let's talk. Thank you. Yeah, 100%. Thank you Great, I think we might have time for one more question one more. All right anybody else Yeah, like that just one second It would seem likely that there are situations where There are multiple Configurations at the nuts and bolts level which could satisfy a higher level vaguer compliance How do you handle those do you like say these are the three ways you can do it or do you pick one and then my other question is is Versions are constantly changing you have to like redo this every time a new version of one of your covered projects comes out I feel sorry for you. Yeah. Yeah, there's a lot of work to be done here So there's not only versions of the software that we're assessing and the software we're using to do those assessments But there's also versions of the white papers that we're basing these assessments off of so the cloud native security white paper has version One and version two out and version three is in the works So we are one of the other things that we're doing is care and feeding for this mapping that we've already done and we have version One done we have version two In review we also have feedback on version one in review And we are working with the version three of the white paper as well to to collaborate with that So this version is the white paper versions of the software So all everything is version pinned as far as those assessments go And then your first question was the white papers are necessarily broad There may be many ways to accomplish the control that's defined in those white papers. How do we do it? Well? We don't we don't choose we don't pick This is the only way to do it We're not kind of that opinionated instead. We're saying there are many ways to do it This is one of them this and add another way to assess Compliance and there are likely going to be lots of ways that you could achieve a compliance that this project would not identify as Necessarily compliant, so we're not going to be making a compliant not compliance assessment. It's more so Likely compliant or compliant or we don't know right so we're gonna start with a very like uncertain assessment to start Yeah, yeah, that's so that's where the mappings and things like that come in and that gets really difficult I'll just say that there's a lot of work going on right now in the mapping space because different organizations perform mappings differently So we did a mapping to 853 CIS does a lot of mapping CSA does mapping and the methods that those mappings follow are all different so There's like composability. There's set operations lots of different ways that mappings could be accomplished and how strong those mappings are Depends So that's kind of just where we are as an industry. So great. Thanks everybody