This document outlines a proposed approach to continuous security and compliance called GitSec. It proposes centralized policy management by storing policies in versioned Git repositories. A policy manager and various adapters would connect these policies to enforcement points across Kubernetes, Istio, and other systems. The Open Policy Agent (OPA) is identified as a way to develop policies using the Rego language and deploy them as sidecars or standalone apps. The approach aims to provide uniform real-time policies, bridge between business and technical policies, and create confidence and auditability through a centralized approach to policy management. The ideas are sound but more detail and implementation work is needed, especially in integrating with component-specific policy definitions and supporting Open Policies.
9. We need Continuous Security
together with Continuous Compliance,
automated,
making things more secure,
making professional’s lives easier
and not getting in the way of productive development.
12. Centralized policy management creates confidence and auditability
Uniform real-time policies prevent costly mistakes
Bridging business and technical policies helps stakeholders work together
14. GitSec
Centralized policies in versioned repositories
Use Git as repository
Methodology how to map repositories and branches to running software
15. 1. guard, watch
2. a watching, keeping watch
3. to keep watch
4. persons keeping watch, a guard, sentinels of the place where captives are kept, a prison of the time (of night) during which guard
was kept, a watch i.e., a period of time during which part of the guard was on duty, and at the end of which others relieved them
φυλακή
The tool set for GitSec
18. What Is the Open Policy Agent (OPA)?
The Open Policy Agent (OPA) is a cloud native real-time policy engine
CNCF project (Sandbox)
Can be deployed as a sidecar or standalone app
Integrations for common infrastructure components
The Rego language is an accessible formal policy language
Tooling for developing policies in Rego
http://www.openpolicyagent.org/
Unify as far as possible on Open Policies
25. Very rough outline of the GitSec methodology
Prototype implementation of Phylake in Go
Prototypical policy manager checker
Supports Kubernetes admission control and Istio network policies
Simple YAML business policy definitions
We are at the very beginning
27. Our ideas are sound and create value
The GitSec concepts need more love and much more detail
Open Policy is not widely supported yet
⇒ It makes sense to integrate component-specific policy definitions now and
converge on Open Policies later
29. Absolutely!
We want Phylake to be community-driven Open Source (It isn’t, yet)
We’re still at the early stages
Take part, or just stay informed
Contact me: andreas.zitzelsberger@qaware.de
@andreasz82