Cloud Native systems represent a paradigm shift in both technical and human operations workflows. The community (and industry) has invested significant time researching and solving approaches to Cloud native security concerns and topics: software vulnerabilities, risk management, software component dependencies and infrastructure as code (GitOps), supply chain provenance, malicious attackers, threat models, and technical security assessments. At the same time, many commercial, non-profit foundations, community and government organizations performing services or providing data storage must abide by national, regional, or local laws and regulations regarding user privacy and data, with assurance of protection of their compute and data processing integrity and resilience. These cross cutting concerns span not only specific technical configuration of software and systems, but also require complex orchestration of human administrative, operational, and design activities, especially when involving audit activities expecting concrete, reviewable independent audit artifacts.
The motivation of the Compliance WG is cross-disciplinary and focused on bridging purely technical issues to broader legal and regulatory workflows: not only to strive for the prevention of system breaches, but also considering supply chain, operators, data and AI failures while simultaneously considering auditability, non-repudiation, legally required forensic evidence, etc. - across all the various activities required of cloud native operators of all sizes. The Compliance WG plans to curate vendor neutral tools for evidence collection, chain-of-custody in audits, as well as automated workflows for continuous compliance authoring and assessment.
The key areas of the Compliance WG include:
-
Building a knowledge base (in GitHub and possibly other tools) and case studies on the How, What, Why and When of operating a cloud native environment within the requirements of legal and regulatory entities that govern clouds, specific industries, and more generally data and public/consumer usage. These requirements are often not just technical security concerns. Compliance activities and requirements span human activities and performance, system availability and reliability, the combined human and technical aspects of continuity of operations, defining and monitoring data location as well as sovereignty and provenance of the regulated environment components and data
-
Generating specific examples of compliance as code, normalized templates, and tools for automating these both technical and non-technical requirements, control assessment, data analysis, audit and compliance remediation workflows that specifically benefit CNCF projects and their community of users.
-
Reviewing industry and governmental standards - eg NIST, PCI, HIPAA, etc - from a cloud native perspective and serving as Subject Matter Experts in the CNCF community for how projects should implement and support these compliance-specific requirements as first class citizen to enable broad adoption of the best practices by commercial, non-profit, governmental, and humanitarian organizations.
- Users/personas/needs/customer demands for industry and regulatory compliance (both human and technical)
- Identifications of areas of focus e.g. human workflows, automated workflows, analytical tools, audit and assessment tools, technical security controls that cut across components and systems and clouds, etc
- Framework for evaluation, audit and reporting - how do products and tools demonstrate compliance?
- Training and automation - what is missing, what is difficult to understand, what knowledge gaps are there?
- Work on integrating common tooling across different projects, particularly where that tooling is a CNCF project (but the targets may not be)
- Cross project focus on the projects and efforts the CNCF is funding, helping projects identify needs and providing subject matter expertise to assist
- Recommendations of integrating security tooling with compliance tooling and processes - making both the synergies and unique separations of concern explicit and achieving community consensus.
- Growing CNCF external relationships with interested parties, e.g. NIST and other compliance standards bodies such as FINOS, OSCAL, OpenSSF
-
Anca Sailer (@ancatri)
-
Robert Ficcaglia (@rficcaglia)
-
Alejandro Leiva (@AleJo2995)
-
Jennifer Power (@jpower432)
-
Lou DeGenaro (@degenaro)
-
Manjiree Gadgil (@mrgadgil)
-
Vikas Agarwal (@vikas-agarwal76)
-
Yuji Watanabe (@yuji-watanabe-jp)
-
Takumi Yanagawa (@yana1205)