generated from coulomb/repo-seed
Add security architecture pattern infospace
This commit is contained in:
@@ -0,0 +1,91 @@
|
||||
# Security Capability Catalog
|
||||
|
||||
Status: initial catalog extracted from the genesis exploration
|
||||
Owner: NetKingdom architecture, maintained in infospace-bench
|
||||
|
||||
## Purpose
|
||||
|
||||
This catalog names the security outcomes a NetKingdom-enabled platform
|
||||
must provide before production use. Capabilities describe what must
|
||||
exist; patterns describe how the capability may be implemented.
|
||||
|
||||
The catalog is intentionally platform-oriented. It separates platform
|
||||
responsibility from product/application responsibility and tenant
|
||||
responsibility so security does not become scattered repo-local lore.
|
||||
|
||||
## Capability Template
|
||||
|
||||
Each capability should eventually use this shape:
|
||||
|
||||
```text
|
||||
Intent
|
||||
Scope
|
||||
Threats addressed
|
||||
Required controls
|
||||
Implementation options
|
||||
Platform responsibility
|
||||
Product responsibility
|
||||
Tenant responsibility
|
||||
Readiness criteria
|
||||
Evidence
|
||||
Related patterns
|
||||
Related standards
|
||||
```
|
||||
|
||||
## Capability Groups
|
||||
|
||||
| Group | Intent | Initial readiness focus |
|
||||
| --- | --- | --- |
|
||||
| Security governance and production readiness | Make security decisions, risks, exceptions, and promotion gates explicit | ADRs, risk register, threat models, readiness gates |
|
||||
| Identity and user management | Establish trusted human, service, workload, and agent identities | IAM Profile, key-cape, Keycloak, MFA, lifecycle management |
|
||||
| Authorization and access control | Decide what actors may do to scoped resources | flex-auth, CARING descriptors, Topaz, tenant-aware decisions |
|
||||
| Tenant isolation | Keep tenant identity, runtime, data, and control-plane boundaries explicit | tenant context propagation, data partitioning, control-plane guardrails |
|
||||
| Secrets, keys, and credentials | Prevent scattered static credentials and unsafe bootstrap paths | SOPS/age bootstrap, OpenBao runtime authority, rotation, leases |
|
||||
| Network and edge security | Control public entry points and lateral movement | ingress, TLS, default-deny network policy, egress control |
|
||||
| Platform and Kubernetes hardening | Reduce default platform attack surface | RBAC, pod security, admission control, image provenance |
|
||||
| Application and API security | Make applications safe consumers of platform security services | OIDC integration, object-level authorization, API schemas |
|
||||
| Data protection and privacy | Protect sensitive and tenant data over its lifecycle | classification, encryption, retention, deletion, auditability |
|
||||
| Software supply chain security | Protect source, build, dependency, and artifact integrity | SBOM, signed images, provenance, dependency review |
|
||||
| Observability, detection, and audit | Make security-relevant activity visible and reviewable | central audit, identity logs, policy logs, OpenBao audit, tenant audit |
|
||||
| Incident response and recovery | Contain incidents and recover platform and tenant service safely | runbooks, break-glass, restore drills, post-incident review |
|
||||
|
||||
## Production Readiness Baseline v0.1
|
||||
|
||||
The first NetKingdom production readiness baseline contains these
|
||||
capabilities:
|
||||
|
||||
1. Central identity provider.
|
||||
2. MFA for privileged access.
|
||||
3. Tenant identity and isolation model.
|
||||
4. Kubernetes secure baseline.
|
||||
5. Secrets management and OpenBao runtime handoff.
|
||||
6. Network default-deny and ingress control.
|
||||
7. API authentication and object-level authorization.
|
||||
8. Policy-as-code admission control.
|
||||
9. Container and dependency vulnerability management.
|
||||
10. Central security logging and audit trail.
|
||||
11. Backup and restore verification.
|
||||
12. Incident response runbooks.
|
||||
|
||||
## Standards Mapping Seed
|
||||
|
||||
| Standard or framework | Use in this infospace |
|
||||
| --- | --- |
|
||||
| NIST CSF 2.0 | Governance-level capability grouping: Govern, Identify, Protect, Detect, Respond, Recover |
|
||||
| CIS Controls v8 | Practical control coverage and data protection mapping |
|
||||
| OWASP ASVS | Verifiable application security requirements |
|
||||
| OWASP API Security | API authorization and object-level access risk framing |
|
||||
| SLSA | Build provenance and supply-chain integrity |
|
||||
| OpenSSF Scorecard | Open-source dependency and project-risk signals |
|
||||
| CNCF Cloud Native Security | Kubernetes and cloud-native platform security framing |
|
||||
| NSA/CISA Kubernetes Hardening | Kubernetes hardening checklist and threat focus |
|
||||
|
||||
## NetKingdom-Specific Notes
|
||||
|
||||
- IAM Profile is the canonical identity contract.
|
||||
- flex-auth is the canonical authorization decision boundary.
|
||||
- OpenBao is runtime secret authority, not identity provider or policy
|
||||
decision point.
|
||||
- Railiance owns deployment layers and platform services.
|
||||
- `infospace-bench` owns this catalog as a concrete infospace artifact,
|
||||
not as the canonical deployment source.
|
||||
Reference in New Issue
Block a user