Merge pull request #4 from ultrasaurus/general-readme

simplified readme with high level goals and link to guide

README.md

@@ -4,8 +4,8 @@ Working Group Proposal: Secure Access for Everyone (SAFE)
 ## Objective
 
 Secure Access for Everyone (SAFE) Working Group facilitates collaboration
-to discover and produce resources which enable secure access, policy control 
-and safety for operators, administrators, developers, and end-users across 
+to discover and produce resources which enable secure access, policy control
+and safety for operators, administrators, developers, and end-users across
 the cloud native ecosystem.
 
 ## Background
@@ -51,7 +51,7 @@ for both cloud and traditional infrastructure.
 ## Members
 
 * Dan Shaw ([@dshaw](https://github.com/dshaw)), PayPal [chair]
-* Sarah Allen ([@ultrasaurus](https://github.com/ultrasaurus)), Google [chair]
+* Sarah Allen ([@ultrasaurus](https://github.com/ultrasaurus)), [chair]
 * Jeyappragash JJ ([@pragashj](https://github.com/pragashj)), Tetrate.io [chair]
 * Devarajan P Ramaswamy ([@deva](https://github.com/deva26)), PADME
 * Kamil Pawlowski ([@kbpawlowski](https://github.com/kbpawlowski))
@@ -83,6 +83,10 @@ for both cloud and traditional infrastructure.
 * John Morello ([@morellonet](https://github.com/morellonet)), Twistlock
 * Alban Crequy ([@alban](https://github.com/alban)), Kinvolk
 * Michael Schubert ([@schu](https://github.com/schu)), Kinvolk
+* Andrei Manea ([@andrei_821](https://github.com/andrei821)), CloudHero
+* Justin Cappos ([@JustinCappos](https://github.com/JustinCappos)), New York University
+* Santiago Torres-Arias ([@SantiagoTorres](https://github.com/SantiagoTorres)), New York University
+* Brandon Lum ([@lumjjb](https://github.com/lumjjb)), IBM
 * JOIN OUR MEETINGS REGULARLY, THEN ADD YOURSELF VIA PULL REQUEST
 
 ## Related Groups
@@ -92,30 +96,64 @@ for both cloud and traditional infrastructure.
 * [Kubernetes SIG-Auth](https://github.com/kubernetes/community/tree/master/sig-auth)
 * [NIST Big Data WG](https://bigdatawg.nist.gov/)
 
+## Communications
+
+Anyone is welcome to join our open discussions of WG projects and share news related to the group's mission and charter. Much of the work of the group happens outside of WG meetings and we encourage project teams to share progress updates or post questions in these channels:
+
+* [Email list](https://groups.google.com/forum/#!forum/cloud-native-security)
+* [CNCF Slack](https://slack.cncf.io/) #safe-wg channel
+
 ## Meeting Time
 
 The SAFE group meets every Friday at 11:00am PT (USA Pacific):
 
-Join: https://zoom.us/j/709980684
+Join: https://zoom.us/j/665428022
 
 Or iPhone one-tap:
-* US: +16699006833,,709980684# or +16468769923,,709980684#
+* US: +16699006833,,665428022# or +16468769923,,665428022#
 
 Or Telephone:
-* US: +1 669 900 6833 or +1 646 876 9923, Meeting ID: 709-980-684
+* US: +1 669 900 6833 or +1 646 876 9923, Meeting ID: 665-428-022
 * International numbers available: https://zoom.us/zoomconference?m=r-YGNTQJzZphTlO4LYkdhAt4oIQpwl2g
 
 ## In Person Meetings
 
-Please let us know if you are going and if you are interested in attending (or helping to organize!) an in-person meetup (via the linked github issue):
-* KubeCon + CloudNativeCon, Shanghai, Nov 14-15, 2018 - [issue#28](https://github.com/cn-security/safe/issues/28)
-* KubeCon + CloudNativeCon, North America, Dec 11-13, 2018 - [issue#29](https://github.com/cn-security/safe/issues/29)
+Please let us know if you are going and if you are interested in attending (or helping to organize!) an in-person meetup. Create a [github issue](https://github.com/cn-security/safe/issues/new) for an event and add to list
+below:
+
+* KubeCon + CloudNativeCon, Barcelona, Spain, May 20 – 23, 2019 - [issue#127]
+* KubeCon + CloudNativeCon, San Diego, CA - Nov 18 – 21, 2019 - [issue#128]
 
 Past
+* KubeCon + CloudNativeCon, North America, Dec 11-13, 2018 - [issue#29](https://github.com/cn-security/safe/issues/29)
+* KubeCon + CloudNativeCon, Shanghai, Nov 14-15, 2018 - [issue#28](https://github.com/cn-security/safe/issues/28)
 * [KubeConEU](https://events.linuxfoundation.org/events/kubecon-cloudnativecon-europe-2018/) May 2-4, 2018 in Copenhagen, Denmark ([notes](safe_kubecon.md))
 
 ## Meeting Minutes
 
+* [2018-04-12 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit) - OPA with SAFE Presentation Framework
+* [2018-04-11 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit) - Working Session
+* [2018-04-05 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit) - Google Open Source Project Onboarding
+* [2018-04-04 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit) - Working Session
+* [2018-03-29 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit) - Revised presentation framework with in-toto (OPA, Kamus, TOC invited) 
+* [2018-03-28 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit) - Working Session
+* [2018-03-22 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit)
+* [2018-03-22 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit) - SAFE Whitepaper Working Session
+* [2018-03-15 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit)
+* [2018-03-08 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit)
+* [2018-03-07 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit) - Working Session
+* [2018-03-08 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit)
+* [2018-03-07 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit) - Working Session
+* [2018-03-01 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit)
+* [2018-02-28 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit) - Working Session
+* [2018-02-22 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit)
+* [2018-02-21 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit) - Working Session
+* [2018-02-15 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit)
+* [2018-02-08 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit)
+* [2018-02-01 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit)
+* [2018-01-31 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit) - Working Session
+* [2018-01-25 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit)
+* [2018-01-24 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit) - Working Session
 * [2018-01-18 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit)
 * [2018-01-17 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit) - Working Session
 * [2018-01-11 SAFE Meeting](https://docs.google.com/document/d/1WLnEErqODywjkQVTAESpwK8pgIbxsNDp6SqOtw3kjlk/edit)

assessments/README.md

@@ -0,0 +1,46 @@
+# Security Assessments
+
+## Goals
+The [security assessment process](guide) is designed to accelerate the adoption
+of cloud native technologies, based on the following goals and assumptions:
+
+### 1) Reduce risk across the ecosystem
+
+The primary goal is to reduce the risk from malicious attacks and accidental breaches of privacy. This process supports that goal in two ways:
+
+   * Clear and consistent process for communication increases detection &
+   reduces time to resolve known or suspected vulnerability issues
+   * A collaborative evaluation process increases domain expertise
+   within each participating project.
+
+### 2) Accelerate adoption of cloud native technologies
+
+Security reviews are a necessary, yet time consuming process, where each
+company, organization and project must perform its own reviews to ensure
+that it meets its unique commitments to its own users and stakeholders.
+In open source, simply finding security-related information can be a very
+time consuming part of the the process. The process is designed to enable improved discovery of security information & streamlined security reviews in multiple ways:
+
+   * Consistent documentation reduces review time
+   * Established baseline of security-relevant information reduces Q&A
+   * Clear rubric for security profile enables organizations to align their
+   risk profile with project’s risk profile and effectively allocate resources
+   (for review and needed project contribution)
+   * Structured metadata allows for navigation, grouping and cross-linking
+
+We expect that this process will raise awareness of how specific open source
+projects affect the security of a cloud native system; however, separate
+activities may be needed to achieve that purpose using materials generated by
+the assessements.
+
+## Outcome
+
+Each project assessment will:
+1. ensure a clear description of the project's design goals with respect to
+security
+2. uncover design flaws and document known limitations
+3. document next steps toward increasing security of the project itself and/or
+increasing the applications of the project toward increasing security of the
+cloud native ecosystem
+
+

landscape/categories.md

@@ -15,7 +15,7 @@ sub-categories. The remaining text is a description of each sub-category.
     - Tools that facilitate automated security testing in pipelines;
     eg for functional security tests of authn and authz,
       tests of known potential weaknesses or misconfigurations
-  - _Piplines_
+  - _Pipelines_
     - Tools that ensure a secure pipeline or workflow, for example,
     as applied to devops (CI/CD), supply chain, etc.
 

safe_usecases.md → usecases.md

@@ -1,34 +1,47 @@
-Authors: [email protected], [email protected], [email protected], [email protected] 
+Authors: [email protected], [email protected], [email protected], [email protected]
 
-Created: 7 March 2017
+Updated: 9 April 2019
 
-This is a living document, please feel free to add use cases and personas through a PR. We want this to be a repository of cloud native security related use cases.
+This is a living document, please feel free to add use cases and personas through a PR. 
+This initial version was derived from inputs referencd below.  Please add 
+references for new use cases, which could included shared documents from other 
+projects, published research or case studies of cloud native technologies in
+real world use.
+
+## References
 
-Refer:
-============
+* SAFE Cloud Foundry Use Cases: https://goo.gl/4pmdqt
+* Administrators Bill of Rights: https://goo.gl/yQCxE8
 
-SAFE Cloud Foundry Use Cases: https://goo.gl/4pmdqt
+Overview
+============
+This is a list of use cases to enable secure access, policy control and safety
+for users of cloud native technology.
 
-Administrators Bill of Rights: https://goo.gl/yQCxE8
+## Users
 
+Within an enterprise, based on the organization structure, we may have one or 
+more of the personas. The more general user categories are
+separated into these more detailed personas where roles may be held by 
+different people in a large organization.
 
-Summary 
-============
-Within an enterprise, based on the organization structure, we may have one or more of the personas. They could be from Developer, Enterprise Operator, Network Operator, End User, Infrastructure Provider. In this document, we will try to breakdown the use cases by applying bill of rights to each personas. 
+* Operators: Enterprise, Quota, Network
+* Administrators: Security, Compliance/Audit
+* Developers, including Third Party Security Products
+* End-users 
 
-Developer
-=============
-* As a developer, I need to provide logs for any changes to a critical resources, such that they can be made available for auditing
+A project will often have a very focused target audience and not all
+use cases are applicable in every situaton.  The use cases below are a guide
+to consider common needs that often require support from multiple products
+or technologies in order to be fully functional for the target users.
 
-* As a developer, I need to be able to tag my resources so that they can be grouped by an administrator when required
+# Operators
 
-* As a developer I need to be able to perform an access check for a resource
+## Enterprise 
 
-Enterprise Operator
-=============
 * As an enterprise operator, I need a central way to look at the organizational resources, so that I can administer them in a single view
 
-* As an enterprise operator, I need the ability to see what about the resource changed, who changed it and when it was changed, so that I can report on for compliance 
+* As an enterprise operator, I need the ability to see what about the resource changed, who changed it and when it was changed, so that I can report on for compliance
 
 * As an enterprise operator, I need a way to delegate policy control to lower level admins, including sub enterprise operators, who help me scale.
 
@@ -43,8 +56,19 @@ Enterprise Operator
 * As an enterprise operator, I can understand the effect of changes to policy that I am making
 
 
-Quota Operator
-==================
+## Quota 
+
+Since quota is often used for cost control, this may imply a different persona
+with financial, rather than an engineering background.
+
+An important use of quota is to protect a service from abuse. By setting a
+quota, we can ensure that a single individual or group cannot bring down the
+service for everybody else (either intentionally or unintentionally).
+For example, services may lack sufficient protections (such as exponential
+backoff) and a simple quota enforcement in front of the service can reduce the
+impact of repeated request on the rest of the infrastructure.
+
+
 
 * As an quota operator, I need a central way to look at the organizational resources, so that I can administer them in a single view
 
@@ -61,8 +85,7 @@ Quota Operator
 * As a quota operator, I can understand the effect of changes to quota that I am making
 
 
-Network Operator
-====================
+## Network 
 
 * As a network operator, I need a central way to look at the networks in my organization, so that I can administer them in a single view.
 
@@ -75,20 +98,9 @@ Network Operator
 * As a network operator, I can understand the effect of changes to network policy that I am making
 
 
-End User
-============
+# Administrators
 
-* As an end user, I can understand which resources I can access and how I can request access to a resource
-
-* As an end user, I can delegate or revoke access to downstream applications/resource or other users
-
-* As an end user, I can request access to a resource and operations.
-
-* As an end user, I can understand the effect of changes to policy that I am making
-
-
-Compliance Officer /Auditor
-===============================
+## Compliance Officer / Auditor
 
 * As a compliance officer, I can <a href="https://docs.google.com/document/d/19V_Vx0fdz2HOa31FpPswT9CsUphizfJcwvDJv05aWFs/edit#heading=h.norkt12d88ma" target="_blank">audit</a>  all accesses and understand all policy grants for my organizations’ cloud resources - including all accesses of other administrators.
 
@@ -103,8 +115,7 @@ Compliance Officer /Auditor
 * As a compliance officer, I can configure my organization's resources to meet the requirements of relevant standards such as [PCI](https://www.pcisecuritystandards.org/), [FedRAMP](https://www.fedramp.gov/) or [HIPAA](https://www.gpo.gov/fdsys/pkg/PLAW-104publ191/html/PLAW-104publ191.htm), and I can generate assessment and attestation artifacts showing how the relevant requirements are met.
 
 
-Security Administrator
-==========================
+## Security Administrator
 
 * As a security administrator, I can <a href="https://docs.google.com/document/d/19V_Vx0fdz2HOa31FpPswT9CsUphizfJcwvDJv05aWFs/edit#heading=h.ems5pk2exnlb" target="_blank">centrally administer</a>  my organizations’ cloud resources.
 
@@ -122,15 +133,36 @@ Security Administrator
 
 * As a security administrator, I can <a href="https://docs.google.com/document/d/19V_Vx0fdz2HOa31FpPswT9CsUphizfJcwvDJv05aWFs/edit#heading=h.7wavwjkp2pz2" target="_blank">exercise the above rights in hybrid and mutli-cloud deployments</a>  without compromising my ability to manage my organizations’ cloud resources.
 
+# Developers
 
-Third Party Security Product/System
-==========================
+* As a developer, I need to provide logs for any changes to a critical resources, such that they can be made available for auditing
+
+* As a developer, I need to be able to tag my resources so that they can be grouped by an administrator when required
+
+* As a developer I need to be able to perform an access check for a resource
+
+# Third Party Security Product/System
 
 * A third party system should be able to affect security policy based on assets being tagged as quarantined.
 
     * To put it more generically, I should be able to associate resources with dynamic labels/tags which can be used to trigger certain policies
 
 
-
+
+
+# End-users
+
+* As an end user, I can understand which resources I can access and how I can request access to a resource
+
+* As an end user, I can delegate or revoke access to downstream applications/resource or other users
+
+* As an end user, I can request access to a resource and operations.
+
+* As an end user, I can understand the effect of changes to policy that I am making
+
+
+
+
+