generated from coulomb/repo-seed
92 lines
4.5 KiB
Markdown
92 lines
4.5 KiB
Markdown
# Security Capability Catalog
|
|
|
|
Status: initial catalog extracted from the genesis exploration
|
|
Owner: NetKingdom architecture, maintained in infospace-bench
|
|
|
|
## Purpose
|
|
|
|
This catalog names the security outcomes a NetKingdom-enabled platform
|
|
must provide before production use. Capabilities describe what must
|
|
exist; patterns describe how the capability may be implemented.
|
|
|
|
The catalog is intentionally platform-oriented. It separates platform
|
|
responsibility from product/application responsibility and tenant
|
|
responsibility so security does not become scattered repo-local lore.
|
|
|
|
## Capability Template
|
|
|
|
Each capability should eventually use this shape:
|
|
|
|
```text
|
|
Intent
|
|
Scope
|
|
Threats addressed
|
|
Required controls
|
|
Implementation options
|
|
Platform responsibility
|
|
Product responsibility
|
|
Tenant responsibility
|
|
Readiness criteria
|
|
Evidence
|
|
Related patterns
|
|
Related standards
|
|
```
|
|
|
|
## Capability Groups
|
|
|
|
| Group | Intent | Initial readiness focus |
|
|
| --- | --- | --- |
|
|
| Security governance and production readiness | Make security decisions, risks, exceptions, and promotion gates explicit | ADRs, risk register, threat models, readiness gates |
|
|
| Identity and user management | Establish trusted human, service, workload, and agent identities | IAM Profile, key-cape, Keycloak, MFA, lifecycle management |
|
|
| Authorization and access control | Decide what actors may do to scoped resources | flex-auth, CARING descriptors, Topaz, tenant-aware decisions |
|
|
| Tenant isolation | Keep tenant identity, runtime, data, and control-plane boundaries explicit | tenant context propagation, data partitioning, control-plane guardrails |
|
|
| Secrets, keys, and credentials | Prevent scattered static credentials and unsafe bootstrap paths | SOPS/age bootstrap, OpenBao runtime authority, rotation, leases |
|
|
| Network and edge security | Control public entry points and lateral movement | ingress, TLS, default-deny network policy, egress control |
|
|
| Platform and Kubernetes hardening | Reduce default platform attack surface | RBAC, pod security, admission control, image provenance |
|
|
| Application and API security | Make applications safe consumers of platform security services | OIDC integration, object-level authorization, API schemas |
|
|
| Data protection and privacy | Protect sensitive and tenant data over its lifecycle | classification, encryption, retention, deletion, auditability |
|
|
| Software supply chain security | Protect source, build, dependency, and artifact integrity | SBOM, signed images, provenance, dependency review |
|
|
| Observability, detection, and audit | Make security-relevant activity visible and reviewable | central audit, identity logs, policy logs, OpenBao audit, tenant audit |
|
|
| Incident response and recovery | Contain incidents and recover platform and tenant service safely | runbooks, break-glass, restore drills, post-incident review |
|
|
|
|
## Production Readiness Baseline v0.1
|
|
|
|
The first NetKingdom production readiness baseline contains these
|
|
capabilities:
|
|
|
|
1. Central identity provider.
|
|
2. MFA for privileged access.
|
|
3. Tenant identity and isolation model.
|
|
4. Kubernetes secure baseline.
|
|
5. Secrets management and OpenBao runtime handoff.
|
|
6. Network default-deny and ingress control.
|
|
7. API authentication and object-level authorization.
|
|
8. Policy-as-code admission control.
|
|
9. Container and dependency vulnerability management.
|
|
10. Central security logging and audit trail.
|
|
11. Backup and restore verification.
|
|
12. Incident response runbooks.
|
|
|
|
## Standards Mapping Seed
|
|
|
|
| Standard or framework | Use in this infospace |
|
|
| --- | --- |
|
|
| NIST CSF 2.0 | Governance-level capability grouping: Govern, Identify, Protect, Detect, Respond, Recover |
|
|
| CIS Controls v8 | Practical control coverage and data protection mapping |
|
|
| OWASP ASVS | Verifiable application security requirements |
|
|
| OWASP API Security | API authorization and object-level access risk framing |
|
|
| SLSA | Build provenance and supply-chain integrity |
|
|
| OpenSSF Scorecard | Open-source dependency and project-risk signals |
|
|
| CNCF Cloud Native Security | Kubernetes and cloud-native platform security framing |
|
|
| NSA/CISA Kubernetes Hardening | Kubernetes hardening checklist and threat focus |
|
|
|
|
## NetKingdom-Specific Notes
|
|
|
|
- IAM Profile is the canonical identity contract.
|
|
- flex-auth is the canonical authorization decision boundary.
|
|
- OpenBao is runtime secret authority, not identity provider or policy
|
|
decision point.
|
|
- Railiance owns deployment layers and platform services.
|
|
- `infospace-bench` owns this catalog as a concrete infospace artifact,
|
|
not as the canonical deployment source.
|