►
Description
OpenShift Commons Briefing
Compliance as Code
Keith Basil (RedHat)
Hosted by Diane Mueller (Red Hat)
2020-05-13
A
First,
Who
am
I
Keith
Basel
I
am
a
product
manager
in
the
cloud
platforms,
business
unit
and
I
cover
security
for
OpenStack
and
OpenShift,
and
so
what
I'm
going
to
introduce
today
is
a
compliance
driven
approach
to
better
security
and
I'm
gonna,
introduce
this
concept
of
compliance
as
code
and
what
that
means.
So,
let's
actually
jump
into
it
and
get
started
so
fundamentally,
here's
the
problem
for
the
slides
to
advance.
A
Yes,
ok,
so
there's
about
a
four
second
delay:
we've
taken
in
internally,
an
effort
to
research,
the
many
global
compliance
frameworks
and
so
I
read
had
been
a
global
company.
We
run
into
these
daily
with
our
customers,
so,
for
example,
in
Australia,
there's
a
framework
of
recommendations
around
what's
called
the
essential
eight
like
the
essential,
80
things
you
need
to
do
to
lock
down
your
your
computer
system
or
cloud
infrastructure
right.
A
We
also
work
with
an
organization
called
ANSI
in
France
who
is
responsible
for
enforcing
security
policy
for
things
that
are
labeled
as
critical
infrastructure
to
the
country
right
and
then
we
have
our
friends
here
in
the
US
government.
We
have
really
good
relationships
with
NIST
in
the
DoD
and
I
see
communities
where
we
are
helping
make
our
products
more
secure
to
meet
their
requirements.
So
the
takeaway
here
is
that
you've
got
geographical
boundaries.
A
You've
got
industry,
specificity
for
these
risk
management
frameworks
and
as
a
product
manager
who
kind
of
grew
up
in
the
DC
metro
area.
I
understand
like
the
contractor
mentality
right
and
so
my
dream,
as
a
product
manager,
was
always
to
have
a
cloud
product
that
would
solve
for
these
security
problems
to
make
the
job
of
the
compliance
and
audit
folks
a
little
bit
easier
by
checking
things
out
of
the
box.
A
A
Kerstin
had
a
slide
that
was
very
appropriate
about
kubernetes
done
right
being
very,
very
hard
and
so
I
wonder
if
you'd
call
out
a
little
bit
more
detail
here
in
that
the
compliance
that
we
look
at,
we
have
to
look
at
everything
from
the
hardware
from
the
host
level
all
the
way
up
through
the
stack.
That
means
you
know
what
type
of
operating
system
are
you
running
the
kernel
matters
in
this
regard,
because
there
are
certain
food
security
facilities,
particularly
around
kubernetes
container
hosting,
that
are
absolutely
critical
to
compartmentalizing.
A
You
know
the
workloads
on
your
Korean
ADEs
platform
right,
so
namespaces
system
calls
reduction
of
privileges,
the
eliminate
capabilities,
locking
everything
down
with
selinux
and
in
for
more
extreme
environments
or
having
certified
crypto.
You
want
to
make
sure
that
that
kernel
enables
fits
right.
So
these
are
just
some
low-level
pieces
and
parts,
the
Legos,
if
you
will,
that
actually
build
up
and
that
we
have
to
take
them
to
an
account
when
it
comes
to
compliance,
and
so,
let's
take
it
one
step
further.
A
Okay,
so
on
the
right,
when
the
slide
loads,
I'll
show
you
on
the
right.
We
have
our
listing
of
all
the
risk
management
frameworks
right
again,
geographically
bound
industry
bound,
maybe
even
a
mixture
and
then
on
the
Left
we
have
open
shift
is
an
example
of
infrastructure
as
a
service
offering
that
we
need
to
secure
and
lock
down.
A
I'm
happy
to
Diane
mentioned
the
compliance
officer
role
at
the
top
of
the
call,
because
this
is
the
nightmare
that
compliance
officers
have
to
deal
with,
because
on
the
left,
you
have
an
infrastructure
stack
that
changes
or
iterates
every
three
months
upstream.
So
kubernetes
is
a
very,
very
fast
moving
upstream
open
source
project
right
and
then
you
have
to
marry
that
against
one
of
the
frameworks
on
the
right,
and
so,
for
example,
if
we
say
we're,
gonna
get
our
open,
skiff,
environment,
FedRAMP,
moderate
enabled
right.
A
In
fact,
it
gets
worse
right
and
so
doing
these
things
manual.
You
know
addressing
you,
know:
FedRAMP
compliance,
miss
overall,
853
compliance
or
going
for
PCI,
DSS,
etc.
These
things
are
heavy
processes,
and
so
we
want
to
shortcut
this
and
this
compliance
as
code
approach
is
exactly
how
we
approach
that.
So,
let's
talk
about
the
solution
before
we
go
into
the
detail
of
the
solution,
I
want
to
talk
about
the
approach
right,
and
so
we,
after
we've
done
our
research
against
the
risk
management
frameworks
that
we
run
into
as
a
company.
A
A
It
gives
us
leverage,
okay,
meaning
that
if
we
can
solve
for
let's
say
the
853
controls
that
have
been
carved
out
for
FISMA
or
FedRAMP,
if
we
can
solve
for
those
we're,
gonna
get
probably
80
to
90%
of
all
the
other
frameworks
out
of
the
box
in
terms
of
meeting
those
requirements
and
the
other
logo
that
I'd
put
on
this
slide
is
the
cloud
security
alliance.
And
let
me
let
me
talk
about
a
really
cool
tool
that
these
guys
have.
A
They
have
this
thing
called
the
cloud
controls
matrix,
it's
essentially
a
spreadsheet
and
it
acts
as
kind
of
a
rosetta
stone
for
mapping
how
you
address
this
particular
control,
and
it
shows
you
how
you
can
apply
that
to
other
one
other
frameworks.
So,
for
example,
if
we
solve
for
configuration
management
and
mist
as
a
family
of
controls,
then
we
can
see
that
our
answers
to
how
we
do
configuration
management
could
be
applied
to
ISO
to
HIPAA,
PCI,
DSS,
etc.
So
it's
a
really
cool
tool
in
that
regard.
A
It's
kind
of
a
road
map
to
mapping
down
into
the
other
frameworks,
and
so
going
more
specifically
from
a
redhead
perspective.
I
want
to
talk
about
how
we
approach
this
with
open
shift
as
an
example,
so
on
the
Left
you'll
see
a
what
I
call
the
FedRAMP
cheat
sheet
right.
So
this
is
basically
a
summary
of
the
control
families
that
you
will
find
applicable
to
a
Fed
lamp
deployment,
and
so
some
of
these
are
highlighted
in
the
green
circle
like
access
control
and
sorry
Diane.
Can
we
mute
that
person?
That's
on
the
call.
A
Okay,
so
on
the
left
is
the
FedRAMP
cheat
sheet,
as
I
said,
and
so,
as
a
software
company,
we
can
only
read.
I
can
only
influence
and
provide
guidance
for
the
things
that
are
within
our
scope.
For
example,
you'll
see
personnel
security
on
that
list
on
the
left
there,
the
PS
family
of
controls
well,
red
head,
is
not
in
the
business
of
doing
background
checks
on
people
right
so,
for
example,
in
federal
matter
it,
the
folks
who
have
hands
on
keyboard
to
administrate
your
system
must
be
US
citizens,
for
example
right.
A
A
So
this
is
our
kind
of
internal
barometer.
If
you
will
on
how
we're
meeting
from
a
product
perspective,
FedRAMP
or
FISMA
low,
moderate
and
high
as
an
example
and
we'd
be
happy
to
talk
to
you
more
about
that.
If
there's
any
questions
around
our
approach
here,
around
security,
so
going
back
to
the
concept
of
compliance
is
code.
What
is
the
magic
okay?
What
are
we
doing
here?
That's
different,
so
as
I
alluded
to
before
the
process
is
very
heavy.
A
It's
intense
it's
very
manual
in
terms
of
building
documentation,
documenting
the
system,
all
the
controls
and
all
the
configs
and
and
the
knobs,
and
such
that
you
do
to
make
the
system
more
secure.
What
we
want
to
do
is
codify
that
knowledge
right
in
areas
where
we
have
domain
expertise
right
so,
for
example,
think
of
it
as
building
a
cake
and
I'm
going
to
use
this
cake
analogy
because
I
think
it's
effective
here.
So
imagine
if
you
will
we're
gonna
bake
a
cake
in
layers.
A
We're
gonna
build
each
layer
of
the
cake
at
a
time
and
now
we're
going
to
deploy
OpenShift
for
a
federal
government
use
case
so
number
one.
We
need
to
figure
out
where
system
is
going
to
reside
physically
right.
So
maybe
we
pick
a
data
center
somewhere
in
Ashburn
Virginia.
That's
close
to
you
know
our
folks
and
we're
gonna
say
to
that
data
center
owner,
give
me
your
compliance,
is
code
or
put
me
to
the
repo.
This
shows
your
compliance
is
code
artifacts.
A
So
we
could
basically,
in
theory,
just
do
a
pull
and
pull
down
all
of
the
data
center
remediations
to
like
and
descriptions
for
exactly
a
narrative
pieces.
What
does
that
mean?
That
means
that
we
now
have
in
text
form
information
about
the
physical
barriers
around
the
data
center
information
about
the
security
background
checks
of
the
security
folks
that
physically
reside
in
that
data
center,
the
man-traps.
What
is
the
level
of
redundancy
for
power
and
pink
for
the
for
the
network?
Our
the
cage
is
built
out
et
cetera.
So
now
we
can
just
pull.
A
Do
a
git
pull
pull
that
down?
We
have
that
in
a
JSON
formatted
format,
where
we
can
drop
that
in
as
the
bottom
of
the
cake
and
then
going
one
step,
for
we
may
say
if
we're
gonna
use
the
st.
Dale
Hardware,
hey
Dale,
show
me
your
compliance
is
code,
repo
that
describes
the
hardware
security
that
you
have
for
your
platform
right.
So
maybe
this
will
describe
TPMS
and
hardware
attestation,
for
example,
and
how
that's
done
so
we
can
pull
that
in
and
then
we
go
up
in
this
layer
up.
A
You
want
to
make
sure
that
we
provide
those
layers
of
the
cake
and
that
they're
fully
complete
and
then
finally,
going
back
to
the
Scopes
that
we
aren't
responsible
for
maybe
the
personnel
security
is
an
in-house
thing
with
a
private
repo
and
they
build
out
all
of
that
into
a
repo
that
specifies,
via
JSON
all
of
the
personal
security
procedures
that
they
put
in
place.
So
now,
we've
got
the
entire
cake.
We've
got
a
directory
full
of
like
artifacts,
there's
tooling,
within
this
community
called
compliance
masonry.
A
For
example,
you
can
point
that
to
the
artifacts
that
we
just
assembled
and
actually
bake
the
cake,
it's
like
putting
it
in
the
oven,
right
and
so
boom.
Once
this
tooling
runs,
it
will
build
a
400-page
we're
a
document.
That's
the
start
of
your
system,
security
plan
in
a
matter
of
minutes
which
is
phenomenal
right,
and
so
this
is
the
power
of
treating
compliance
as
code.
A
Where
now
we
have
very
close
to
real-time
a
status
on
the
actual
compliance
implementation
for
each
one
of
those
layers
in
the
cake,
so,
for
example,
on
the
OpenShift
team,
our
goal
is
to
make
our
security
profiles
by
coterminous
or
released
in
parallel
with
the
next
version
of
OpenShift.
So,
for
example,
if
open
shift,
4.5
comes
out,
we'd
love
to
publish
the
compliances
code
profile
for
FedRAMP,
for
example,
for
open
ship
for
that
5
and
then
for
that
stay
for
that
7
X.
So
that
way,
anybody
consuming
this.
A
This
work
downstream
can
just
pull
the
latest
rerun
the
tooling
and
have
immediate
updates
to
their
SSP
ES
and
whatever
other
tooling
can
come
out
of
that.
And
the
last
thing
here
this
really
critical
is
that
the
compliance
is
code.
Work
is
really
two
parts.
There's
the
text
part
the
narrative
that
describes
your
responses
in
the
system,
security
plan
and
then
there's
also
a
baseline
set
of
content
that
does
auditing
and
remediation.
So
what
does
that
mean?
A
There's
a
code
code
in
the
compliances
code,
piece
that
will
allow
you
to
basically
analyze
audit
and
attest
that
your
system
is
in
compliance
against
those
controls
that
we've
defined
and
if
it's
not
you'll,
have
the
option
to
come
back
and
force
it
to
be
in
compliance
with
via
the
remediation
content.
That's
supplied
with
that
profile,
so
it's
very,
very
powerful
in
that
regard,
in
terms
of
giving
us
leverage
to
maintain
relevance
and
accuracy
with
our
compliance
processes,
and
so
let's
actually
look
at
it
a
little
bit
in
action
here.
A
So
on
the
next
slide,
we
talked
about
the
process
and
going
from
left
to
right.
This
is
typically
how
it
goes
so
you'll
see
on
the
Left
guides
and
documentation.
This
could
be
auditor
Docs
security
requirements
in
the
DoD
space.
We
call
them
SR
G's,
just
general
configuration
guides
on
how
to
you
know,
secure
the
system
or
make
changes
that
are
the
city
related
to
security,
but
need
to
be
accounted
for,
and
then
you
have,
you
know
properly
published
and
blessed
what
we
call
Stig's
these
security
technical
implementation
guides.
A
So
this
is
kind
of
like
the
the
knowledge,
but
it's
in
Inked,
so-called
digital
paper
format,
right
and
so
one
of
our
missions
is
to
take
that
knowledge
and
turn
that
into
submissions
against
the
compliances
code,
repo,
according
to
the
recommendations
that
you
find
in
those
guys
right,
and
so
that's
number
one
and
then
number
two.
We
pick
one
of
the
risk
management
profiles
that
were
targeting
so,
for
example,
for
targeting
the
Australian.
A
The
central
8
will
take
all
of
that
knowledge
on
the
left
and
we'll
build
an
essential
8
profile
and
put
that
on
the
git
repo.
In
fact,
there's
a
link
on
this
slide
to
that
exact
profile.
Right
we've
just
recently
got
a
submission
for
from
our
struct
Australian
teen
us
to
Pacific
to
the
essentially
and
then.
A
So
you
got
documentation
and
sometimes
tribal
knowledge.
That's
baked
into
your
organization
in
in
the
heads
of
many
of
the
people,
and
we
want
to
get
that
from
the
docs
from
that
tribal
knowledge
into
something.
That's
we
can
act
against
from
a
software
perspective.
So
that's
what
we're
doing
here,
what
compliance
is
code?
A
So
we've
started
this.
There
is
a
community
upstream.
This
is
a
screenshot
from
one
of
our
public
sector
meetups,
where
we're
talking
about
innovation
and
using
open
control.
There's
quite
a
few
folks,
Microsoft
pivotal
and
some
others
are
members
of
the
open
control
community
and
have
contributed
their
own
compliances
code
profiles
so
we're
starting
to
grow
quite
a
bit
there,
and
we've
also
created
a
derivative
of
that.
We
call
it
ATO
pathways
where
it
shows
kind
of
the
Red
Hat
product
status
against
the
authoritative
information
that
you'll
find.
A
Then
the
compliance
is
code,
repo
and
then
lastly,
there's
a
few
links
that
you
can
look
at
to
go
a
little
bit
deeper
and
compliances
code.
The
first
github
link
is
the
number
one
is
the
top
one
and
then
the
red
specific
one
is
second
and
then
the
open
control
community
you'll
find
at
the
last
pitch.
So
that's
all
I
had
today.
Hopefully
this
was
a
good
overview
of
compliance.
Is
code
and
I'm
happy
to
take
any
questions.