Cloud Native Security Map (Landscape v2)

Question

Cloud Native Security Map (Landscape v2)

lumjjb opened this issue 5 years ago · 27 comments

Description:

Provide a different view of a security landscape which will provide more useful information

Impact:

The current security landscape is a list of categories which are useful for an overview. We want to provide an alternative view of the landscape which can be consumable by security practitioners, executives, and users of security.

Scope:

Create a visual landscape of multiple processes, "Creating a cloud native app", "Setting up a cloud native infrastructure", "monitoring, logging, remediation and alerting in cloud native". Each process would be decomposed to several steps and sub-processes. Each of which will detail information about relevant threats, examples and mitigations.

EDIT: from whitepaper discussions: The landscape should mirror the topics of the whitepaper, and provide a visual guide and act as a tool for practitioners to find the correct tools to help them.

TO DO

TAG Representative @lumjjb
Project leader(s)
Ash (@ashutosh-narkar)
Brandon Lum (@lumjjb)
Diego (@dcomas)
TBD

TheFoxAtWork commented 4 years ago

samesies!

Answer 1 · 2020-04-26T20:44:38.000Z

This issue has been automatically marked as inactive because it has not had recent activity.

Answer 2 · 2020-05-13T16:52:22.000Z

Here is a mockup that we've worked on, I'd like to be able to put this in an interactive web format.

https://drive.google.com/file/d/1sIBxUT1ohmQCzR_ms4OpJ_GAh96IEjZX/view?usp=sharing

If anyone has some expertise doing web work, would be great to get additional eyes on this!

Answer 3 · 2020-05-13T17:23:24.000Z

@lumjjb - I could give this a try, please provide a bit more around how "interactive" you would like. Also, do you want it to be hosted on Github or is there a target web hosting place?

Answer 4 · 2020-05-13T20:28:30.000Z

Awesome - I think we can work with the assumption that we can have other hosting. We can ask for some resources from the CNCF in that regard.

I found this example that I really liked as part of gojs library (although I think we can't use it because its a commercial library). https://gojs.net/latest/intro/events.html (look at the first example of the page, where each word is clickable).

Having the diagram with the flow on the top and whenever you click on one of the items, the description would just appear at the bottom of the diagram. The content would look something like this (ignore the words in the diagram at the top - those should just be each individual step) https://sig-security-scenarios.netlify.app/commits/

Clicking on one of the boxes in the flow would lead to the bottom updating with the details of that box. It would be added bonus to having nice navigation of the diagram.

I may not be very good with articulating what I'm thinking graphically, so if you'd like we can jump on a call to chat.

Answer 5 · 2020-05-14T13:36:39.000Z

@lumjjb - sure, most evenings are open for me, please send meeting invite to yeeling.lam@gmail.com - we could give Google Meet a try if you like ;)

Answer 6 · 2020-05-14T13:51:40.000Z

Great! I'll send you an invite. Let me know if another time is better.

Answer 7 · 2020-05-20T17:18:14.000Z

Prototype reviewed on 5/20 meeting - https://drive.google.com/file/d/1qfywatjgPqgXqZTDyEAr6vFUBYLQ3MCG/view?usp=sharing

Answer 8 · 2020-06-01T14:26:14.000Z

@lumjjb regarding #297 : is the expectation that the landscape can indicate which projects have multi-factor authentication? We could also add it as a item in the final assessment report where we go over over recommendations?

Answer 9 · 2020-08-08T01:00:21.000Z

This issue has been automatically marked as inactive because it has not had recent activity.

Answer 10 · 2020-12-09T15:58:33.000Z

Now that the whitepaper is completed, we can resume work on the Landscape, which provides a practical/tooling side to the concepts highlighted in the whitepaper.

Answer 11 · 2020-12-09T18:34:18.000Z

@lumjjb let me know if I can help on this one, as you mentioned this issue in the CNCF meeting and I think I can contribute. :)

Answer 12 · 2020-12-11T00:54:36.000Z

Great, please count me in too if you need some help on this landscape development.

Answer 13 · 2020-12-11T14:34:05.000Z

Interested. :)

Answer 14 · 2021-01-05T21:45:45.000Z

We will be having a kick-off meeting for the security landscape next Wednesday (13 January at 12pm EST / 9am PST). Going to send out an invite - email me at (LUMJJB@gmail.com) if you did not get the invite.

@dcomas i am not able to see your email, could you ping me. tks

@PushkarJ saw your note in the channel, seems like you're interested, ping me your email if you'd like to join as well

Answer 15 · 2021-01-06T18:39:01.000Z

Please add me as well !

Answer 16 · 2021-01-11T16:45:57.000Z

Agenda for SIG Security “Landscape” kick-off meeting (covering 1-4)

1. Goals and Non-goals of SIG-Security “Landscape”

Provide a mapping of CNCF and open source projects to areas of CN Security whitepaper
Provide a practical viewpoint and information on topics in the CN Security whitepaper
Identify gaps in CN Security in the ecosystem and make recommendations to TOC
Help educate practitioners of what technologies can be used in practice and how they tie into each other
Provide practical tips or examples for how to use tools within this category, or why they are important (I.e. example breaches, etc.)
Provide a reference for frameworks to utilize when developing CN Security solutions and architectures.

Non-goals:

Not an implementation guide on how to implement CN Security
Not a checklist of what to do
Not one technology focused (i.e. not taking 1 reference architecture and developing the landscape around it).

2. Naming of SIG-Security “Landscape”

Make suggestions and bring ideas to community

Suggestions

e.g. 1

4. Organization of SIG-Security Landscape

Propose several ideas on what to do, individuals/groups sign up to propose ideas at next meeting

Example A. Overview of white paper, click into different categories for details and projects. For each header/sub-header, provide relevant links to other aspects that people may wish to pursue. I.e. for signing of artifacts, relevant, would be the various aspects of signing and also linking to runtime, because there is a verification enforcement. This way users can explore cloud native security in a more holistic way.

5. Content of Security Landscape (Future)

Develop and split up content creation in the future

Answer 17 · 2021-01-14T10:47:13.000Z

Was the meeting recorded or are there any minutes?

Answer 18 · 2021-01-15T19:23:33.000Z

@JonZeolla please check here for meeting notes: https://docs.google.com/document/d/170y5biX9k95hYRwprITprG6Mc9xD5glVn-4mB2Jmi2g/edit?usp=drive_web&ouid=112152877013556173105

For any other questions, feel free to reach out to us on our Slack: cloud-native.slack.com

Answer 19 · 2021-01-27T17:03:46.000Z

@JonZeolla join the #sig-security-geography channel on slack to join in the discussion

Answer 20 · 2021-02-10T22:10:27.000Z

Updated notes: https://docs.google.com/document/d/1HZPpzTc-OMDPbWu5PDPto5kym5ngPgQiwgk5My5X-GI/edit

Answer 21 · 2021-02-19T21:42:07.000Z

This project needs at least 1 non SIG leadership lead to help guide this forward!

Answer 22 · 2021-03-15T04:15:05.000Z

Please add me to this initiative as well
@TheFoxAtWork

Answer 23 · 2021-03-15T18:39:34.000Z

@ragashreeshekar please join the #sig-security-whitepaper-map channel on slack to join other folks working on this.

Answer 24 · 2021-03-15T19:24:42.000Z

@ragashreeshekar please join the #sig-security-whitepaper-map channel on slack to join other folks working on this.

Thanks @ashutosh-narkar. I've joined the channel :)

Answer 25 · 2021-09-15T13:48:09.000Z

Status:

Checking on design team on ServiceDesk
Merged in https://github.com/cncf/tag-security/blob/main/security-whitepaper/cnsmap/README.md

Answer 26 · 2022-01-19T21:19:44.000Z

Closing this in favor of #737.