This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/security-capability-catalog.md

4.5 KiB

Security Capability Catalog

Status: initial catalog extracted from the genesis exploration Owner: NetKingdom architecture, maintained in infospace-bench

Purpose

This catalog names the security outcomes a NetKingdom-enabled platform must provide before production use. Capabilities describe what must exist; patterns describe how the capability may be implemented.

The catalog is intentionally platform-oriented. It separates platform responsibility from product/application responsibility and tenant responsibility so security does not become scattered repo-local lore.

Capability Template

Each capability should eventually use this shape:

Intent
Scope
Threats addressed
Required controls
Implementation options
Platform responsibility
Product responsibility
Tenant responsibility
Readiness criteria
Evidence
Related patterns
Related standards

Capability Groups

Group Intent Initial readiness focus
Security governance and production readiness Make security decisions, risks, exceptions, and promotion gates explicit ADRs, risk register, threat models, readiness gates
Identity and user management Establish trusted human, service, workload, and agent identities IAM Profile, key-cape, Keycloak, MFA, lifecycle management
Authorization and access control Decide what actors may do to scoped resources flex-auth, CARING descriptors, Topaz, tenant-aware decisions
Tenant isolation Keep tenant identity, runtime, data, and control-plane boundaries explicit tenant context propagation, data partitioning, control-plane guardrails
Secrets, keys, and credentials Prevent scattered static credentials and unsafe bootstrap paths SOPS/age bootstrap, OpenBao runtime authority, rotation, leases
Network and edge security Control public entry points and lateral movement ingress, TLS, default-deny network policy, egress control
Platform and Kubernetes hardening Reduce default platform attack surface RBAC, pod security, admission control, image provenance
Application and API security Make applications safe consumers of platform security services OIDC integration, object-level authorization, API schemas
Data protection and privacy Protect sensitive and tenant data over its lifecycle classification, encryption, retention, deletion, auditability
Software supply chain security Protect source, build, dependency, and artifact integrity SBOM, signed images, provenance, dependency review
Observability, detection, and audit Make security-relevant activity visible and reviewable central audit, identity logs, policy logs, OpenBao audit, tenant audit
Incident response and recovery Contain incidents and recover platform and tenant service safely runbooks, break-glass, restore drills, post-incident review

Production Readiness Baseline v0.1

The first NetKingdom production readiness baseline contains these capabilities:

  1. Central identity provider.
  2. MFA for privileged access.
  3. Tenant identity and isolation model.
  4. Kubernetes secure baseline.
  5. Secrets management and OpenBao runtime handoff.
  6. Network default-deny and ingress control.
  7. API authentication and object-level authorization.
  8. Policy-as-code admission control.
  9. Container and dependency vulnerability management.
  10. Central security logging and audit trail.
  11. Backup and restore verification.
  12. Incident response runbooks.

Standards Mapping Seed

Standard or framework Use in this infospace
NIST CSF 2.0 Governance-level capability grouping: Govern, Identify, Protect, Detect, Respond, Recover
CIS Controls v8 Practical control coverage and data protection mapping
OWASP ASVS Verifiable application security requirements
OWASP API Security API authorization and object-level access risk framing
SLSA Build provenance and supply-chain integrity
OpenSSF Scorecard Open-source dependency and project-risk signals
CNCF Cloud Native Security Kubernetes and cloud-native platform security framing
NSA/CISA Kubernetes Hardening Kubernetes hardening checklist and threat focus

NetKingdom-Specific Notes

  • IAM Profile is the canonical identity contract.
  • flex-auth is the canonical authorization decision boundary.
  • OpenBao is runtime secret authority, not identity provider or policy decision point.
  • Railiance owns deployment layers and platform services.
  • infospace-bench owns this catalog as a concrete infospace artifact, not as the canonical deployment source.