Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/generated/security-pattern-index.md

4.5 KiB

Security Pattern Index And Maturity Matrix

Status: generated index refreshed for NK-WP-0010

Capability Index

Capability group Initial status Primary owner Gaps
Security governance and readiness draft NetKingdom, State Hub risk register and readiness gates need formalization
Identity and user management partial NetKingdom, key-cape, Keycloak lifecycle and federation evidence incomplete
Authorization and access control partial flex-auth, NetKingdom policy package lifecycle and Topaz runtime checks need implementation
Tenant isolation draft NetKingdom, Railiance, product repos isolation patterns now exist; product conformance tests remain
Secrets, keys, and credentials partial NetKingdom, Railiance platform, OpenBao OpenBao drills and certificate lifecycle evidence pending
Network and edge security seed Railiance, product repos default-deny and gateway patterns need concrete manifests
Platform and Kubernetes hardening seed Railiance baseline, pod-security, and admission patterns need implementation evidence
Application and API security seed product repos, NetKingdom object-level, schema, BFF, command, and upload patterns need product adoption
Data protection and privacy seed product repos, platform tenant data partitioning and key-per-tenant need storage-specific decisions
Software supply chain security seed Railiance, artifact-store, product repos SBOM/provenance/signature pipeline needs implementation anchors
Observability, detection, and audit draft Railiance, NetKingdom, State Hub event taxonomy and tenant audit projection need storage decision
Incident response and recovery draft Railiance, NetKingdom runbooks, tenant freeze, and revocation sweep need drills

Genesis Pattern Coverage

Family Exact patterns Artifact coverage Maturity spread
Identity and access 8 complete seed to reviewed
Tenant isolation 6 complete seed to draft
Kubernetes and platform 7 complete seed
Secrets and cryptography 5 complete seed to reviewed
Application/API security 6 complete seed to draft
Supply chain 6 complete seed
Detection and response 6 complete seed

The authoritative per-pattern completion matrix is artifacts/generated/research-pattern-normalization.md.

NetKingdom Umbrella Pattern Index

Pattern Maturity Owner Implementation links
STS credential vending reviewed NetKingdom, flex-auth, Railiance platform NK-WP-0007, ADR-0008, artifact-store follow-up
Workload identity draft Railiance platform, NetKingdom IAM Profile, OpenBao Kubernetes auth
Secret zero avoidance reviewed NetKingdom, Railiance platform NK-WP-0004, NK-WP-0005, Railiance OpenBao
Dynamic secrets draft OpenBao, Railiance platform OpenBao leases and revocation
Short-lived SSH certificates draft ops-warden, ops-bridge, NetKingdom SSH certificate issuance and audit
Delegated authorization reviewed flex-auth, NetKingdom flex-auth, Topaz, CARING descriptors
Tenant isolation draft NetKingdom, Railiance platform, product repos namespace, cluster, cell, data, and control-plane isolation
Policy-as-code admission seed Railiance platform, NetKingdom admission policy, pod security, image trust
Supply-chain provenance seed Railiance platform, artifact-store, product repos SBOM, signatures, SLSA provenance

Tutorial Handoff To NK-WP-0009

High-value tutorial candidates after NK-WP-0010 completion:

  1. Vend temporary S3 credentials from a NetKingdom identity token.
  2. Deploy OpenBao as canonical Railiance platform secrets manager.
  3. Use short-lived SSH credentials for admins, agents, and automations.
  4. Add a protected system to flex-auth using PDP/PEP boundaries.
  5. Apply secret-zero avoidance from bootstrap to runtime OpenBao.
  6. Build tenant audit visibility from the central audit ledger.
  7. Add policy-as-code admission with pod-security and signed-image gates.
  8. Produce SBOM, signature, and SLSA-style provenance for a release.

Open Decisions And Gaps

  • Decide durable audit ledger storage and tenant-visible audit boundary.
  • Decide which seed patterns should graduate to reviewed before tutorial writing starts.
  • Decide how machine-readable capability and pattern status should be represented.
  • Decide which pattern families need product-specific conformance tests before being marked canonical.