This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/security-capability-catalog.md

92 lines
4.5 KiB
Markdown

# Security Capability Catalog
Status: initial catalog extracted from the genesis exploration
Owner: NetKingdom architecture, maintained in infospace-bench
## Purpose
This catalog names the security outcomes a NetKingdom-enabled platform
must provide before production use. Capabilities describe what must
exist; patterns describe how the capability may be implemented.
The catalog is intentionally platform-oriented. It separates platform
responsibility from product/application responsibility and tenant
responsibility so security does not become scattered repo-local lore.
## Capability Template
Each capability should eventually use this shape:
```text
Intent
Scope
Threats addressed
Required controls
Implementation options
Platform responsibility
Product responsibility
Tenant responsibility
Readiness criteria
Evidence
Related patterns
Related standards
```
## Capability Groups
| Group | Intent | Initial readiness focus |
| --- | --- | --- |
| Security governance and production readiness | Make security decisions, risks, exceptions, and promotion gates explicit | ADRs, risk register, threat models, readiness gates |
| Identity and user management | Establish trusted human, service, workload, and agent identities | IAM Profile, key-cape, Keycloak, MFA, lifecycle management |
| Authorization and access control | Decide what actors may do to scoped resources | flex-auth, CARING descriptors, Topaz, tenant-aware decisions |
| Tenant isolation | Keep tenant identity, runtime, data, and control-plane boundaries explicit | tenant context propagation, data partitioning, control-plane guardrails |
| Secrets, keys, and credentials | Prevent scattered static credentials and unsafe bootstrap paths | SOPS/age bootstrap, OpenBao runtime authority, rotation, leases |
| Network and edge security | Control public entry points and lateral movement | ingress, TLS, default-deny network policy, egress control |
| Platform and Kubernetes hardening | Reduce default platform attack surface | RBAC, pod security, admission control, image provenance |
| Application and API security | Make applications safe consumers of platform security services | OIDC integration, object-level authorization, API schemas |
| Data protection and privacy | Protect sensitive and tenant data over its lifecycle | classification, encryption, retention, deletion, auditability |
| Software supply chain security | Protect source, build, dependency, and artifact integrity | SBOM, signed images, provenance, dependency review |
| Observability, detection, and audit | Make security-relevant activity visible and reviewable | central audit, identity logs, policy logs, OpenBao audit, tenant audit |
| Incident response and recovery | Contain incidents and recover platform and tenant service safely | runbooks, break-glass, restore drills, post-incident review |
## Production Readiness Baseline v0.1
The first NetKingdom production readiness baseline contains these
capabilities:
1. Central identity provider.
2. MFA for privileged access.
3. Tenant identity and isolation model.
4. Kubernetes secure baseline.
5. Secrets management and OpenBao runtime handoff.
6. Network default-deny and ingress control.
7. API authentication and object-level authorization.
8. Policy-as-code admission control.
9. Container and dependency vulnerability management.
10. Central security logging and audit trail.
11. Backup and restore verification.
12. Incident response runbooks.
## Standards Mapping Seed
| Standard or framework | Use in this infospace |
| --- | --- |
| NIST CSF 2.0 | Governance-level capability grouping: Govern, Identify, Protect, Detect, Respond, Recover |
| CIS Controls v8 | Practical control coverage and data protection mapping |
| OWASP ASVS | Verifiable application security requirements |
| OWASP API Security | API authorization and object-level access risk framing |
| SLSA | Build provenance and supply-chain integrity |
| OpenSSF Scorecard | Open-source dependency and project-risk signals |
| CNCF Cloud Native Security | Kubernetes and cloud-native platform security framing |
| NSA/CISA Kubernetes Hardening | Kubernetes hardening checklist and threat focus |
## NetKingdom-Specific Notes
- IAM Profile is the canonical identity contract.
- flex-auth is the canonical authorization decision boundary.
- OpenBao is runtime secret authority, not identity provider or policy
decision point.
- Railiance owns deployment layers and platform services.
- `infospace-bench` owns this catalog as a concrete infospace artifact,
not as the canonical deployment source.