generated from coulomb/repo-seed
73 lines
4.5 KiB
Markdown
73 lines
4.5 KiB
Markdown
# Security Pattern Index And Maturity Matrix
|
|
|
|
Status: generated index refreshed for NK-WP-0010
|
|
|
|
## Capability Index
|
|
|
|
| Capability group | Initial status | Primary owner | Gaps |
|
|
| --- | --- | --- | --- |
|
|
| Security governance and readiness | draft | NetKingdom, State Hub | risk register and readiness gates need formalization |
|
|
| Identity and user management | partial | NetKingdom, key-cape, Keycloak | lifecycle and federation evidence incomplete |
|
|
| Authorization and access control | partial | flex-auth, NetKingdom | policy package lifecycle and Topaz runtime checks need implementation |
|
|
| Tenant isolation | draft | NetKingdom, Railiance, product repos | isolation patterns now exist; product conformance tests remain |
|
|
| Secrets, keys, and credentials | partial | NetKingdom, Railiance platform, OpenBao | OpenBao drills and certificate lifecycle evidence pending |
|
|
| Network and edge security | seed | Railiance, product repos | default-deny and gateway patterns need concrete manifests |
|
|
| Platform and Kubernetes hardening | seed | Railiance | baseline, pod-security, and admission patterns need implementation evidence |
|
|
| Application and API security | seed | product repos, NetKingdom | object-level, schema, BFF, command, and upload patterns need product adoption |
|
|
| Data protection and privacy | seed | product repos, platform | tenant data partitioning and key-per-tenant need storage-specific decisions |
|
|
| Software supply chain security | seed | Railiance, artifact-store, product repos | SBOM/provenance/signature pipeline needs implementation anchors |
|
|
| Observability, detection, and audit | draft | Railiance, NetKingdom, State Hub | event taxonomy and tenant audit projection need storage decision |
|
|
| Incident response and recovery | draft | Railiance, NetKingdom | runbooks, tenant freeze, and revocation sweep need drills |
|
|
|
|
## Genesis Pattern Coverage
|
|
|
|
| Family | Exact patterns | Artifact coverage | Maturity spread |
|
|
| --- | ---: | --- | --- |
|
|
| Identity and access | 8 | complete | seed to reviewed |
|
|
| Tenant isolation | 6 | complete | seed to draft |
|
|
| Kubernetes and platform | 7 | complete | seed |
|
|
| Secrets and cryptography | 5 | complete | seed to reviewed |
|
|
| Application/API security | 6 | complete | seed to draft |
|
|
| Supply chain | 6 | complete | seed |
|
|
| Detection and response | 6 | complete | seed |
|
|
|
|
The authoritative per-pattern completion matrix is
|
|
`artifacts/generated/research-pattern-normalization.md`.
|
|
|
|
## NetKingdom Umbrella Pattern Index
|
|
|
|
| Pattern | Maturity | Owner | Implementation links |
|
|
| --- | --- | --- | --- |
|
|
| STS credential vending | reviewed | NetKingdom, flex-auth, Railiance platform | NK-WP-0007, ADR-0008, artifact-store follow-up |
|
|
| Workload identity | draft | Railiance platform, NetKingdom | IAM Profile, OpenBao Kubernetes auth |
|
|
| Secret zero avoidance | reviewed | NetKingdom, Railiance platform | NK-WP-0004, NK-WP-0005, Railiance OpenBao |
|
|
| Dynamic secrets | draft | OpenBao, Railiance platform | OpenBao leases and revocation |
|
|
| Short-lived SSH certificates | draft | ops-warden, ops-bridge, NetKingdom | SSH certificate issuance and audit |
|
|
| Delegated authorization | reviewed | flex-auth, NetKingdom | flex-auth, Topaz, CARING descriptors |
|
|
| Tenant isolation | draft | NetKingdom, Railiance platform, product repos | namespace, cluster, cell, data, and control-plane isolation |
|
|
| Policy-as-code admission | seed | Railiance platform, NetKingdom | admission policy, pod security, image trust |
|
|
| Supply-chain provenance | seed | Railiance platform, artifact-store, product repos | SBOM, signatures, SLSA provenance |
|
|
|
|
## Tutorial Handoff To NK-WP-0009
|
|
|
|
High-value tutorial candidates after NK-WP-0010 completion:
|
|
|
|
1. Vend temporary S3 credentials from a NetKingdom identity token.
|
|
2. Deploy OpenBao as canonical Railiance platform secrets manager.
|
|
3. Use short-lived SSH credentials for admins, agents, and automations.
|
|
4. Add a protected system to flex-auth using PDP/PEP boundaries.
|
|
5. Apply secret-zero avoidance from bootstrap to runtime OpenBao.
|
|
6. Build tenant audit visibility from the central audit ledger.
|
|
7. Add policy-as-code admission with pod-security and signed-image gates.
|
|
8. Produce SBOM, signature, and SLSA-style provenance for a release.
|
|
|
|
## Open Decisions And Gaps
|
|
|
|
- Decide durable audit ledger storage and tenant-visible audit boundary.
|
|
- Decide which seed patterns should graduate to reviewed before tutorial
|
|
writing starts.
|
|
- Decide how machine-readable capability and pattern status should be
|
|
represented.
|
|
- Decide which pattern families need product-specific conformance tests
|
|
before being marked canonical.
|