CNCF Cloud Native Security Map Vanilla

[lumjjb]

CNCF Cloud Native Security Map Vanilla

For a much more detailed guide on this project and how to start contributing, please comment on the issue and take a look at https://docs.google.com/document/d/1ytshTEnoKqP0m0JFKO4IB2qEFaIAZc9jDet6VdeT3sE/

Description:

We have discussed the vision of the cloud native security map (#348), the ideas and discussions are available in this google doc. The eventual goal for the Cloud Native Security Map requires a HUGE effort. Therefore, we are breaking this down into a series of major contributions.

Therefore, the following proposes the initial version of the Cloud Native Security Map (CNSMAP), which is the bare content necessities and design principles required for the CNSMAP. The goal is to complete this effort for publicizing by the CNCF and TOC for Kubecon EU 2021 in May.

Impact:

Impact is documented in this google doc.

• SIG Representative - @lumjjb
• Project leader(s)
  • Brandon Lum (@lumjjb) (SIG TL)
  • Ash Narkar (@ashutosh-narkar) (SIG TL)
  • Diego Comas (@dcomas)

Contributors: Listed in https://docs.google.com/document/d/1HZPpzTc-OMDPbWu5PDPto5kym5ngPgQiwgk5My5X-GI/edit

Scope:

For the map, it will be a representation of the list of topics and navigating between the topics, this does not include links between topics and thematic aspects of the CNSMAP

Timeline:

• Kickoff: 3 March
• Content 1 (70%): 17 March
• Content 2 (completion): 24 March
• PROD ready Prototype: 24 March
• Improvements to content + code: Finalize by Apr 16 for CNCF evaluation + marketing for kubecon EU

Dev info:

Latest stage: http://cnsmap.github.io/ , Code: https://github.com/lumjjb/cnsmap

Scoped Topics Tasks List - number is the count of topics per category.

• Develop (3)
• Distribute (3)
• Distribute.Testing (3)
• Distribute.Artifacts and Images (3)
• Deploy (3)
• Runtime.Compute.Orchestration (5)
• Runtime.Compute.Containers (3)
• Runtime.Compute (4 - 2 optional)
• Runtime.Storage (4)
• Runtime.Access (3)
• Security Assurance and Controls (5 - 3 optional)
• Compliance (2)

[ashutosh-narkar]

@lumjjb I'm happy to volunteer to be one of the project leaders.

[freddyfernando]

I'm glad to help in this effort too.

[0x646e78]

Just posted in Slack, but also interested. Been reading through the content as it currently is.

[mattj-io]

I am happy to volunteer to help with this effort.

[ricard0ff]

I'm happy to help with this effort!

[willurbanski]

I'd love to support this effort!

[lumjjb]

Hi all and welcome to the issue/channel (#sig-security-whitepaper-map)! We are starting the content contribution phase. The idea is that over the next 2 weeks we will be working on writing in the content in the google doc, and we will have an optional meeting occasionally to track our progress and answer any questions.

The next meeting is going to be next Wednesday 10 March at 9:30AM PST / 12:30 PM EST. Please send me your email address for an invite!

So what's next! To start getting involved!

Step 1: Go to the document, https://docs.google.com/document/d/1ytshTEnoKqP0m0JFKO4IB2qEFaIAZc9jDet6VdeT3sE/edit and go down to the Content Contribution Table section, then put your name in the table beside the topics that you would like to contribute to.

Step 2: Scroll down to the topic that you'd like to contribute to, and start filling up the sections. The goal is to provide additional content which can be pragmatically used by practitioners/learners...

The sections includes:

• projects - CNCF/Open Source projects and their links that are relevant to the section, commercial projects are also valid, but should be marked explicitly
• examples - what are some examples of implementing some of these security controls - be specific! The idea is to provide an illustration of topics in the whitepaper
• links - Any other links that are relevant, blog posts, standards, etc.
  If there are doubts on what exactly this topic means, the topic titles contain links to the whitepaper. This should give you a better idea conceptually on what the topic is about.

And whenever in doubt, take a look at the Content Contribution section (which has a filled up content example), or you can ping @ash, @diego Comas, @vinay Venkataraghavan, @brandon Lum if you have questions or need further guidance!

[fdicarlo]

Hi @lumjjb @ashutosh-narkar and @dcomas I am happy to contribute on the Zero Trust part

[dcomas]

@fdicarlo thanks I will add your name in the table. You can join the discussion in the Slack channel where you can share with us your email to give you access to the doc . cloud-native.slack.com #sig-security-whitepaper-map

[whaber]

I'm going to try to make the time to help with this.

[lumjjb]

Hi All! We are going to be meeting an hour before the SIG meeting, not compulsory, but if you have any questions on contributing or like to get a bit more background on the project, do join in!

Time: 12pm-1pm EST, 9am-10am PST (This is 1 hour before regular SIG meeting)
Meeting link: meet.google.com/goe-ehpx-ucy

[binchenX]

Would love to help. Have requested write access the doc.

[dcomas]

Would love to help. Have requested write access the doc.

You should have access now. Thanks

[tomoveu]

@dcomas , I would like to contribute as well. I know there are some effort around adding hardware-based security using HSM/TPM. I think having configuration protection using a TPM is a great feature for Cloud based technologies. This just one of the solutions I have seen in Datacenters that I would love to see in Cloud environments. I will try to join for at least part of the call today.

[mtverraen]

I'd like to help as well. Have requested write access to the doc now.

[lumjjb]

Hi All, the doc looks awesome and is really shaping up! Love all the content so far! There's a couple topics that folks have signed up but haven't filled up yet, with that done, we should be on track to reaching our 70% content goal by Wednesday!

No meeting for this week, the next one will be on 24th March! But be sure to keep your calendars up to date with daylight savings in effect now!

[fdicarlo]

Hi, working on my part between this evening and tomorrow (so before deadline)

[tomoveu]

I will add my first contributions tomorrow. Also before the deadline :) Thanks for the summary @lumjjb

UPDATE: first contributions added.

[TheFoxAtWork]

Related #348

[tomoveu]

@lumjjb, I am getting confused over here.

I added my contributions about "Signing, Integrity and Trust" to this document https://docs.google.com/document/d/1HZPpzTc-OMDPbWu5PDPto5kym5ngPgQiwgk5My5X-GI/edit#heading=h.lzd2ob2mrbjp

Afterwards, I saw "Signing, Integrity and Trust" mentioned here https://docs.google.com/document/d/1ytshTEnoKqP0m0JFKO4IB2qEFaIAZc9jDet6VdeT3sE/edit#heading=h.6ir79kvwirrt

Could you please tell me which document is primary and where I should make my contributions?

[tomoveu]

@lumjjb , I also saw some overlap between "Image Trust and Content integrity" and "Signing, Trust and Integrity". Maybe some parts of them could be merged?

I added information about sigstore as one more solution. It is a new LinuxFoundation project. It offers what RedHat Simple Signing can do plus transparent log. Extra info: It does not yet have a TPM-backend.

[lumjjb]

Hi All! We are in the last stretch of content creation, there are just a couple more topics which need additional information. Some of these only require examples to be added (with the -examples tag). Would be awesome if we can get a couple more contributions to round up this work!

Below is a copy of the table in the document: https://docs.google.com/document/d/1ytshTEnoKqP0m0JFKO4IB2qEFaIAZc9jDet6VdeT3sE/edit#heading=h.nx6klypo0kk2

@mtverraen is also helping out with the development of the map website. If you are interested in helping out with the dev on this, please let us know! We will show a prototype with the content in a week or two!

Here's a copy of the list from the doc!

Topic	Assignees
Development of Tests
Code Review
Resource Requests and Limits
Control Plane Authentication and Certificate Root of Trust
Storage Stack
Storage Encryption
Persistent Volume Protection
Availability
Threat modeling

[lumjjb]

@tomoveu I saw your additions to the doc, there's some overlap with content because of the way the whitepaper is structured... so there is bound to be some overlap.. there are plans to help address this overlaps by linking the topics in the future. But saw you additions on sigstore! Thanks for contributing!

[amye]

@lumjjb - Ping me when you're ready for design help and I'll get you in the queues.

[amye]

I have the design team on deck for whenever we have a final draft of text, that's the gateway here to get design involved.

[lumjjb]

Thanks @amye , we will clean up the content next week and ping back

In the meantime, if it's helpful, we have the current site that design can take a look at: https://cnsmap.vercel.app/

[amye]

Hi all,
checking in on status here!

[lumjjb]

Hey @amye , this is going to be wrapped up within a week! Will ping back once we are good to go.

[lumjjb]

Hi @amye we are ready for the design team! The current version is running at https://cnsmap.vercel.app/

[amye]

Excellent! I've updated the internal ticket on our end.

[lumjjb]

Hi @amye, any word from design team yet?

We're hoping to target having this completed and hosted ready for kubecon NA - does that work with the design team?

[amye]

@lumjjb: I'll make sure they know that

[raesene]

A couple of quick questions on this one. Is there a good way to add tools to sections? Also is there a focus on just Open source tools or are commercial tools being listed as well?

[ashutosh-narkar]

@raesene we are focussing on just Open source tools at the moment. We are working on a criteria that will add clarity to the kind of open-source projects that can be added to the map. Expect a PR soon.

[chadmcrowell]

I would like to contribute.

[lumjjb]

Awesome @chadmcrowell , we are planning to start work on the v2! I would encourage to take a look at #737

[ashutosh-narkar]

Closing this as we have an initial version of the CNS Map.