generated from coulomb/repo-seed
Add security architecture pattern infospace
This commit is contained in:
@@ -0,0 +1,78 @@
|
||||
# Pattern: Central Audit Ledger
|
||||
|
||||
Status: seed
|
||||
Readiness target: RL3 production
|
||||
Primary owners: NetKingdom, Railiance platform, State Hub
|
||||
|
||||
## Problem
|
||||
|
||||
Security-relevant events lose accountability when identity, policy,
|
||||
OpenBao, Kubernetes, deployment, and workload logs remain disconnected.
|
||||
|
||||
## Context
|
||||
|
||||
Use this pattern when platform actions, tenant actions, agent actions,
|
||||
policy decisions, secret access, deployments, and data access must be
|
||||
correlated for operations, incident response, and customer trust.
|
||||
|
||||
## Forces
|
||||
|
||||
- Logs are high volume, but audit events must be durable and searchable.
|
||||
- Tenants may need partial visibility without seeing platform secrets.
|
||||
- Agents and humans need distinct attribution.
|
||||
- Correlation ids must cross system boundaries.
|
||||
|
||||
## Solution
|
||||
|
||||
Define a central security event taxonomy and durable audit ledger for
|
||||
security-sensitive actions. Every protected system emits events with
|
||||
actor, tenant, resource, action, decision, correlation id, and source.
|
||||
|
||||
## Implementation Sketch
|
||||
|
||||
1. Define security event classes and required fields.
|
||||
2. Emit events from key-cape, flex-auth, Topaz, OpenBao, Kubernetes,
|
||||
artifact-store, ops-bridge, and workloads.
|
||||
3. Preserve correlation ids across request, decision, secret, and data
|
||||
paths.
|
||||
4. Protect ledger retention, access, and integrity.
|
||||
5. Add tenant-visible projections where appropriate.
|
||||
|
||||
## Failure Modes
|
||||
|
||||
| Failure | Mitigation |
|
||||
| --- | --- |
|
||||
| Logs exist but cannot answer who did what | require actor/resource/action fields |
|
||||
| Tenant-visible logs expose platform internals | define projection and redaction rules |
|
||||
| Agent events hide behind human account | require explicit agent identity |
|
||||
| Audit sink outage loses privileged events | fail closed for privileged paths or buffer under policy |
|
||||
|
||||
## Related Capabilities
|
||||
|
||||
- Observability, detection, and audit.
|
||||
- Incident response and recovery.
|
||||
- Authorization and access control.
|
||||
- Agent access control.
|
||||
|
||||
## Maturity
|
||||
|
||||
Seed. The need is clear, but storage, retention, projection, and State
|
||||
Hub integration decisions remain open.
|
||||
|
||||
## Verification
|
||||
|
||||
- Critical systems emit events with required fields.
|
||||
- A single correlation id links identity, policy, secret, and workload
|
||||
events.
|
||||
- Ledger access is protected and audited.
|
||||
- Tenant-visible views contain only tenant-appropriate records.
|
||||
|
||||
## Research Basis
|
||||
|
||||
Seeded by security logging, central log collection, audit trail, tenant
|
||||
visible audit logs, and security event taxonomy.
|
||||
|
||||
## References
|
||||
|
||||
- Initial exploration: Observability, detection, and audit.
|
||||
- Initial exploration: Detection and response patterns.
|
||||
Reference in New Issue
Block a user