-
Notifications
You must be signed in to change notification settings - Fork 634
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CNCF SIG-Security charter and roles #146
Conversation
Thanks @pragashj, RFC @cncf/toc, we will also cover it in today's TOC meeting |
Security is a very broad topic. To help keep focus, I would suggest narrowing down, at least initially, to problem areas that are relatively specific to cloud-native architectures and environments. For example there are many aspects of Authentication, RBAC, ABAC, Confidentiality, Integrity etc that apply to most systems, whether or not they are cloud-native. Adding some references to generic treatments of those areas to your white papers is probably a good idea, but I would steer clear of debating or documenting those general areas in any detail, other than to the extent that traditional approaches might not apply, or not work well, in cloud-native environments. |
Thanks Quinton for the feedback. We will make this clear in the SAFE Charter
<https://docs.google.com/document/d/1Yt5IPtN5Mc-FrQDFGUhLpBRePmMAZUA83NbENb69oLs/edit#heading=h.g5qinwik52a6>
as
well. If you have suggestions for how to word that, please drop a comment
there as well.
…On Tue, Aug 21, 2018 at 11:15 AM Quinton Hoole ***@***.***> wrote:
Security is a very broad topic. To help keep focus, I would suggest
narrowing down, at least initially, to problem areas that are relatively
specific to cloud-native architectures and environments. For example there
are many aspects of Authentication, RBAC, ABAC, Confidentiality, Integrity
etc that apply to most systems, whether or not they are cloud-native.
Adding some references to generic treatments of those areas to your white
papers is probably a good idea, but I would steer clear of debating or
documenting those general areas in any detail, other than to the extent
that traditional approaches might not apply, or not work well, in
cloud-native environments.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#146 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AdwPwCsr34j_d-oWcuwp2GsPnNSrRNNlks5uTE4rgaJpZM4WE7zW>
.
|
I find the objective clarifies the scope of the security work: In helping to draft this the focus is on:
In general, I believe the modifier "for operators, administrators, developers, and end-users across the cloud native ecosystem" will help focus the group's work. We may address some concerns for on-prem systems, but only to the degree that is required because of interoperability needs with cloud native systems. This work grew out of a need from many of us who work on software solutions that provide some key part of a secure system. Of course, there are a number of considerations required to create secure architecture and enforce appropriate controls. Right now the solution space is fragmented, and when we seek to create software that works well with existing and emerging systems, we sometimes need to fall back to pair-wise interoperability and we see opportunities to agree on some critical needs and define common ways to interoperate. The approach of defining the landscape by listening to people who have cloud native deployments and solutions in this space seems slow to some, yet we have found that this approach helps with alignment by developing a common vocabulary and reference points for group members. We've defined a some tangible initial output:
This reflects the combination of two efforts: the original SAFE community that was formed at KubeCon in Dec '17, and the group that proposed a CNCF Policy WG. We felt that our groups had such overlapping concerns that we needed to work together on this. I find this group to be helpful to my work at Google, where I became involved in security policy via Firebase Rules, which contributes to OPA, and I also work on infrastructure that supports event-triggered Cloud Functions, helping start CloudEvents, initially as part of the CNCF Serverless WG. We have a lot of problems to solve and I think the SAFE WG will be a good addition to CNCF. |
Just to be very clear, the term "cloud native" does not at all imply public cloud only, or exclude on-premise deployments, as is alluded to above by @ultrasaurus . Here is the CNCF definition of "cloud native": https://github.com/cncf/toc/blob/master/DEFINITION.md The part I'm referring to is "... scalable applications in modern, dynamic environments such as public, private, and hybrid clouds". |
I would like us to clearly agree upon the written proposed timeline for delivering artifacts (contained in the charter). Both the SAFE WG, and the Policy WG have been around for a year or more and to my knowledge produced very little yet in the form of concrete outputs (please correct me if I'm wrong here). So I think it is important to produce the proposed artifacts, specifically white papers, within the reasonable timeframe proposed (about a quarter per phase) starting now. |
@quinton-hoole , good points, Few things I think worth clarifying:
You can find most of our artifacts in the github repo: https://github.com/cn-security/safe, if you want to check out the progress we've made so far, and we're working on migrating various google docs to the repo so the content is a bit more discoverable. Thanks so much for your feedback! |
@quinton-hoole I think one of the main problem is that the outputs were scattered all over the place and it is hard to gather all at once except for those of us are familiar with it :P As @ultrasaurus mentioned we will try to migrate all the materials/outputs to a place that people would be easy to find. There are a lot of good stuff during almost a year's work :) |
updated per new SIG process with all required documents in the sig-security repo governance docs with links here for CNCF approval |
+1 binding TOC votes (7/9): |
A new repo is created to reflect the work being done by the SIG-Security (previously SAFE)