generated from coulomb/repo-seed
4.5 KiB
4.5 KiB
Security Capability Catalog
Status: initial catalog extracted from the genesis exploration Owner: NetKingdom architecture, maintained in infospace-bench
Purpose
This catalog names the security outcomes a NetKingdom-enabled platform must provide before production use. Capabilities describe what must exist; patterns describe how the capability may be implemented.
The catalog is intentionally platform-oriented. It separates platform responsibility from product/application responsibility and tenant responsibility so security does not become scattered repo-local lore.
Capability Template
Each capability should eventually use this shape:
Intent
Scope
Threats addressed
Required controls
Implementation options
Platform responsibility
Product responsibility
Tenant responsibility
Readiness criteria
Evidence
Related patterns
Related standards
Capability Groups
| Group | Intent | Initial readiness focus |
|---|---|---|
| Security governance and production readiness | Make security decisions, risks, exceptions, and promotion gates explicit | ADRs, risk register, threat models, readiness gates |
| Identity and user management | Establish trusted human, service, workload, and agent identities | IAM Profile, key-cape, Keycloak, MFA, lifecycle management |
| Authorization and access control | Decide what actors may do to scoped resources | flex-auth, CARING descriptors, Topaz, tenant-aware decisions |
| Tenant isolation | Keep tenant identity, runtime, data, and control-plane boundaries explicit | tenant context propagation, data partitioning, control-plane guardrails |
| Secrets, keys, and credentials | Prevent scattered static credentials and unsafe bootstrap paths | SOPS/age bootstrap, OpenBao runtime authority, rotation, leases |
| Network and edge security | Control public entry points and lateral movement | ingress, TLS, default-deny network policy, egress control |
| Platform and Kubernetes hardening | Reduce default platform attack surface | RBAC, pod security, admission control, image provenance |
| Application and API security | Make applications safe consumers of platform security services | OIDC integration, object-level authorization, API schemas |
| Data protection and privacy | Protect sensitive and tenant data over its lifecycle | classification, encryption, retention, deletion, auditability |
| Software supply chain security | Protect source, build, dependency, and artifact integrity | SBOM, signed images, provenance, dependency review |
| Observability, detection, and audit | Make security-relevant activity visible and reviewable | central audit, identity logs, policy logs, OpenBao audit, tenant audit |
| Incident response and recovery | Contain incidents and recover platform and tenant service safely | runbooks, break-glass, restore drills, post-incident review |
Production Readiness Baseline v0.1
The first NetKingdom production readiness baseline contains these capabilities:
- Central identity provider.
- MFA for privileged access.
- Tenant identity and isolation model.
- Kubernetes secure baseline.
- Secrets management and OpenBao runtime handoff.
- Network default-deny and ingress control.
- API authentication and object-level authorization.
- Policy-as-code admission control.
- Container and dependency vulnerability management.
- Central security logging and audit trail.
- Backup and restore verification.
- Incident response runbooks.
Standards Mapping Seed
| Standard or framework | Use in this infospace |
|---|---|
| NIST CSF 2.0 | Governance-level capability grouping: Govern, Identify, Protect, Detect, Respond, Recover |
| CIS Controls v8 | Practical control coverage and data protection mapping |
| OWASP ASVS | Verifiable application security requirements |
| OWASP API Security | API authorization and object-level access risk framing |
| SLSA | Build provenance and supply-chain integrity |
| OpenSSF Scorecard | Open-source dependency and project-risk signals |
| CNCF Cloud Native Security | Kubernetes and cloud-native platform security framing |
| NSA/CISA Kubernetes Hardening | Kubernetes hardening checklist and threat focus |
NetKingdom-Specific Notes
- IAM Profile is the canonical identity contract.
- flex-auth is the canonical authorization decision boundary.
- OpenBao is runtime secret authority, not identity provider or policy decision point.
- Railiance owns deployment layers and platform services.
infospace-benchowns this catalog as a concrete infospace artifact, not as the canonical deployment source.