Cloud Native Security Whitepaper

[ultrasaurus]

In 2018, SAFE WG focused on understand security, given modern (cloud native) enterprise infra, and synthesized into a common understanding; however, much of what we have learned is buried in meeting notes and presentations.

We would like to now communicate what we’ve understood to the rest of the world. One step will be to draft a SAFE whitepaper that covers over-arching concerns. Some of us met (march 22, 2019) to brainstorm a whitepaper outline:

Outline:

• Objective
• Audience
• Intro
  • Goals
  • Scope
  • Assumptions
• Cloud Native Layers
  • Environments
  • Lifecycle
• Personas & Use cases
• Security, Compliance & Auditing
• Security Stack
• Evolution
• References

Current Whitepaper Work in progress:

Whitepaper ready for review Comments are turned on so please comment!

TO DO

• SIG Chair support: @pragashj
• Project leader: @TheFoxAtWork
• small group to review next iteration of outline & define terms starting 7/29 9AM Pacific
• create schedule
• Create Outline
• present draft to SIG (including goals, target audience, in scope / out of scope)
• Solicit intended audience cursory review

Proposed Schedule:

• Due AUG 12 2020

• Tasking Assignment - group members interested in content generation for a particular topic area at the numeric alpha level (1.b for instance) members should place their names in parenthesis next to the title with . Members with subject matter expertise in areas below numeric alpha and wishing to contribute to that sub-section should include it by their name for the topic area.

• AUG 12 thru SEP 02 2020 - Content rough-in

• Content Rough-in - group members should begin generating content for the respective areas of assignment. Cohesive sentences, concepts, phrasing, etc. should be placed in quotations ("") for later review as whole content.
• Meeting on AUG 26
• Content rough-in will be pulled into clean working doc after meeting on AUG 26 and shared with group.

• SEP 02 thru SEP 23 2020 - Collaborative review

• Collaborative review - group members will comment and review initial draft content on clean doc.
• Meeting on SEP 09 - get a feel for where we are at, add't time needed, any questions, etc. , identify presenters for SEPT 23rd SIG meeting on CNSWP content draft.
• Link to the Working Draft

• SEP 23 2020 thru OCT 07 2020 - executive summary and content wrap up

• ~OCT 07 thru OCT 19 2020 Narrative Voice

• Narrative Voice and content level - limited review to provide singular narrative voice and ensure content level is in keeping with goals, audience and scope
• no meeting
• SIG Security presentation and overview - unassigned

• ~OCT 19 thru OCT 27 2020 Final Group Review

• Final Review - final review by group, with selected "intended audience"
• Post content to the repo after reviewed?

• CNCF Editorial Assistance - @dshaw @pragashj

• [ ]~DUE NOV 04 2020 (subject to CNCF timeline) Final adjudication

• Final adjudication

Meeting notes for WG syncs

Meeting note and agenda

[ultrasaurus]

@pragashj @dshaw @ultrasaurus, Jessica Walker and Sara Dornsife met to discuss white paper content - see 3/22/2018 meeting notes

[ultrasaurus]

Moved outline into separate doc where we can elaborate into a full whitepaper.

[OUTDATED]NOTE: As of July 2020, we have moved to a new document: Cloud Native Security Whitepaper - @dshaw]

EDIT (@lumjjb): New document is at https://docs.google.com/document/d/1MEeqWvUavXK5TkuFIfoJbtxCT-2FdTw7jgYP3kxtbmk/edit?usp=sharing

[rficcaglia]

just a process question - is it more desirable to use Google Docs vs. markdown docs that can be PR'd? is the idea to minimize git activity until there is a solid draft document rather than have the full "sausage making" process clutter up the git stream?

[pragashj]

That is the idea, please feel free to chime in on the doc and help shape it.

[TheFoxAtWork]

related #405

[whaber]

I would like to participate. Please include me in future discussions on it.

[vinayvenkat]

+1 @vinayvenkat

[PushkarJ]

+1 please include me

[tabbysable]

+1

[trishankatdatadog]

+1

[dshaw]

@vinayvenkat @whaber @PushkarJ @tabbysable @trishankatdatadog I have added you all to the new working group Slack channel.

For any other members of SIG-Security who may want to join us, add yourself here then please also ping me on Slack.

[chasemp]

Please add me at your convenience to the slack channel. Thanks @dshaw.

[gadinaor]

@dshaw - can you add me to the slack channel please

[sublimino]

@dshaw me too please 🙏

[TheFoxAtWork]

@gadinaor - i don't see you in the members listing or in the existing slack to add you

[gadinaor]

@gadinaor - i don't see you in the members listing or in the existing slack to add you

@TheFoxAtWork true // I'm part of it now

[IAXES]

May I please be added as well? Thank you @dshaw

[kapilt]

I'm also interested re slack and discussion on this topic, thanks @dshaw

[TheFoxAtWork]

@kapilt i DM'd u in slack, need ur email to get u access, updates are in the channel

[rowan-baker]

May I please be added to the slack channel, I am looking to help @sublimino with his contribution. Also raising a PR to join as a member shortly. Thanks @dshaw / @TheFoxAtWork

[TheFoxAtWork]

Updated with new schedule to allow more time for content generation

[TheFoxAtWork]

Team is moving forward! extended the collaborative review by a week to accommodate busy schedules

[TheFoxAtWork]

merge https://docs.google.com/document/d/11gyDDsKtMchMlj9ZKDl5LSHNxgu04tq1dTSD1BnTG9o/edit#heading=h.v65lmin9x1eb Issue #20 into the white paper

[SaadUSheikh]

@ultrasaurus please can you add me to Security white paper i want to give some inputs specially for Telecom perspective , thanks

[fctoibm]

Enterprise
Core areas of concern for Enterprise to adopt a cloud-native model are maintaining the current process and procedures while meeting the business objective. Keeping the interoperability, data loss or leakage, and security risk exposure at a minimum when new standards and practices are introduced throughout the organization.
Microbusiness
Small businesses tend to focus on short term goals and innovation to meet intense competition. The lack of resources, budget, technology depth, and best practice hinders their ability to adapt to cloud-native solutions. Small business requires repeatable patterns and small IT footprint to solve the challenges.
Finance
Core areas of concern for financial industries essential to successful cloud-native adoption are unauthorized disclosure of information, fraud, and fund availability. Fraud can directly impact fund availability, making the integrity of financial transactions of paramount importance.
Healthcare
Core areas of concern for healthcare industries essential to successful cloud-native adoption are unauthorized disclosure of information, timeliness, availability of records, and records accuracy. Due to the nature and practices of the healthcare industry, the availability of records and their associated content is how medical decisions are made. In the absence of such information, new records are developed.
Academia and education
Core areas of concern for educational institutions for successful cloud-native adoption can depend upon the intended end user. Institutions catering to minors may have additional legal requirements to protect minors’ confidentiality, thereby making access control critical. Beyond this, institutions should focus on the availability of educational content to end-users.
Public Sector
Core areas of concern for Public Sector organizations to implement cloud-native adoptions are security, data sovereignty, compliances, and vendor lock-in. The barriers emerge from agencies placing regulations to protect the public interest. In the public sector, it is essential to maintain harmony and trust between public and government entities.

[lumjjb]

Thanks Harmeet, i'll add them into the doc

[vinayvenkat]

Sig-Security meeting on 9/16/2020 White paper update: https://docs.google.com/presentation/d/1JVNMxDAJFbTTmmEwpL5lh_OGajbDfZx5E40YRkg1cV0/edit#slide=id.g97edbdf573_0_48

[TheFoxAtWork]

Thanks to everyone who helped make this possible. The Cloud Native Security Whitepaper now lives in the repo as Markdown. As significant changes occur, we will republish the PDF by major version.