# Security Capability Catalog Status: initial catalog extracted from the genesis exploration Owner: NetKingdom architecture, maintained in infospace-bench ## Purpose This catalog names the security outcomes a NetKingdom-enabled platform must provide before production use. Capabilities describe what must exist; patterns describe how the capability may be implemented. The catalog is intentionally platform-oriented. It separates platform responsibility from product/application responsibility and tenant responsibility so security does not become scattered repo-local lore. ## Capability Template Each capability should eventually use this shape: ```text Intent Scope Threats addressed Required controls Implementation options Platform responsibility Product responsibility Tenant responsibility Readiness criteria Evidence Related patterns Related standards ``` ## Capability Groups | Group | Intent | Initial readiness focus | | --- | --- | --- | | Security governance and production readiness | Make security decisions, risks, exceptions, and promotion gates explicit | ADRs, risk register, threat models, readiness gates | | Identity and user management | Establish trusted human, service, workload, and agent identities | IAM Profile, key-cape, Keycloak, MFA, lifecycle management | | Authorization and access control | Decide what actors may do to scoped resources | flex-auth, CARING descriptors, Topaz, tenant-aware decisions | | Tenant isolation | Keep tenant identity, runtime, data, and control-plane boundaries explicit | tenant context propagation, data partitioning, control-plane guardrails | | Secrets, keys, and credentials | Prevent scattered static credentials and unsafe bootstrap paths | SOPS/age bootstrap, OpenBao runtime authority, rotation, leases | | Network and edge security | Control public entry points and lateral movement | ingress, TLS, default-deny network policy, egress control | | Platform and Kubernetes hardening | Reduce default platform attack surface | RBAC, pod security, admission control, image provenance | | Application and API security | Make applications safe consumers of platform security services | OIDC integration, object-level authorization, API schemas | | Data protection and privacy | Protect sensitive and tenant data over its lifecycle | classification, encryption, retention, deletion, auditability | | Software supply chain security | Protect source, build, dependency, and artifact integrity | SBOM, signed images, provenance, dependency review | | Observability, detection, and audit | Make security-relevant activity visible and reviewable | central audit, identity logs, policy logs, OpenBao audit, tenant audit | | Incident response and recovery | Contain incidents and recover platform and tenant service safely | runbooks, break-glass, restore drills, post-incident review | ## Production Readiness Baseline v0.1 The first NetKingdom production readiness baseline contains these capabilities: 1. Central identity provider. 2. MFA for privileged access. 3. Tenant identity and isolation model. 4. Kubernetes secure baseline. 5. Secrets management and OpenBao runtime handoff. 6. Network default-deny and ingress control. 7. API authentication and object-level authorization. 8. Policy-as-code admission control. 9. Container and dependency vulnerability management. 10. Central security logging and audit trail. 11. Backup and restore verification. 12. Incident response runbooks. ## Standards Mapping Seed | Standard or framework | Use in this infospace | | --- | --- | | NIST CSF 2.0 | Governance-level capability grouping: Govern, Identify, Protect, Detect, Respond, Recover | | CIS Controls v8 | Practical control coverage and data protection mapping | | OWASP ASVS | Verifiable application security requirements | | OWASP API Security | API authorization and object-level access risk framing | | SLSA | Build provenance and supply-chain integrity | | OpenSSF Scorecard | Open-source dependency and project-risk signals | | CNCF Cloud Native Security | Kubernetes and cloud-native platform security framing | | NSA/CISA Kubernetes Hardening | Kubernetes hardening checklist and threat focus | ## NetKingdom-Specific Notes - IAM Profile is the canonical identity contract. - flex-auth is the canonical authorization decision boundary. - OpenBao is runtime secret authority, not identity provider or policy decision point. - Railiance owns deployment layers and platform services. - `infospace-bench` owns this catalog as a concrete infospace artifact, not as the canonical deployment source.