[Suggestion] Map usecases.md Users to OSCAL #423
Comments
sunstonesecure-robert
added
the
suggestion
|
This is interesting to me, anything ever come of it? |
|
Not yet but still in motion. I intend to present to the Policy WG probably
after the holidays.
…On Thu, Nov 12, 2020 at 8:08 AM Chase Pettet ***@***.***> wrote:
This is interesting to me, anything ever come of it?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#423 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AQWTGFG7F5KXBMDU4JJFQDLSPQCBBANCNFSM4RXEBTLQ>
.
|
|
I am interested in contributing to this work stream.... Thanks |
|
Tagging policy WG folks just to ensure visibility. @hannibalhuang @ericavonb @rficcaglia |
|
Let's target the next Policy WG agenda - 12/23. Will add to the agenda.
…On Mon, Dec 14, 2020 at 8:31 AM Brandon Lum ***@***.***> wrote:
Tagging policy WG folks just to ensure visibility. @hannibalhuang
<https://github.com/hannibalhuang> @ericavonb
<https://github.com/ericavonb> @rficcaglia <https://github.com/rficcaglia>
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#423 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AQWTGFC7QE2N7HLF7GX4Z5DSUY4UPANCNFSM4RXEBTLQ>
.
|
|
Wanted to check in here and see if this is worked under the Policy WG or does this need larger involvement? |
|
Happy to have larger involvement definitely! but we are working on this in
the Policy WG and specifically wrt the Policy Report CRD. the scope
naturally could be expanded into different areas of focus so by no means do
we have a monopoly on all use cases/users
…On Fri, Jan 15, 2021 at 9:49 AM Emily Fox ***@***.***> wrote:
Wanted to check in here and see if this is worked under the Policy WG or
does this need larger involvement?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#423 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGENIUHLAEJGX6WXVWE24TS2B52BANCNFSM4RXEBTLQ>
.
|
|
Awesome ! Would you do a check in on this with the SIG meetings in February? See if we can drum up some others to join in the fun. |
|
UPDATE: no longer valid link: ~~ just FYI I think newer oscal has modified this to be: ~~ and now user type is an annotation:
so I think the specific task here would be to define the type values for system-user The PolicyReport CRD doesn't have any definition of user, there would need to be one. I can raise it at the next discussion - of note it is a member of the assessment-results oscal schema. We did discuss also having a component implementation - and system-user is also a member of that schema |
|
I am the Technical Director for the OSCAL project. I would be happy to talk with you about this use case if you have any questions. We can chat on the OSCAL Gitter. There is also a bi-weekly OSCAL Lunch with the Devs where we talk about use of models. Perhaps we could touch base there? The next one is on 2/25. |
|
This issue has been automatically marked as inactive because it has not had recent activity. |
|
I also think NICE Framework may be pertinent to this effort. |
|
This issue has been automatically marked as inactive because it has not had recent activity. |
|
Closing this given the https://github.com/cncf/tag-security/blob/main/cloud-native-controls/phase-one-announcement.md was produced. If users were out of scope, will leave it to the determination of that working group to expand upon. |
Description: What's your idea?
OSCAL has a schema definition in the SSP/implementation layer for User:
https://pages.nist.gov/OSCAL/documentation/schema/implementation-layer/ssp/json-schema/#user
and responsible roles:
https://pages.nist.gov/OSCAL/documentation/schema/implementation-layer/ssp/xml-schema/#global_responsible-role
Map the suggested personas here to OSCAL definitions
Note: these are not 1:1 mappings but possibly n:m
In addition cloud IAM platforms have lots of "predefined" roles which map to human level responsibilities, and generally map to resource read, write, or some action (eg. execute or similar):
https://cloud.google.com/iam/docs/understanding-roles#predefined_roles
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html
Impact: Describe your hopes for how this would reduce risk for the cloud native ecosystem. Who will this help? How will it help them?
Provide a reusable and reviewable definition of user <-> role <-> responsibility types so that relevant permissions that can be forward engineered, reverse engineered and reviewed, version controlled, composed, verified, tested and reused.
Once these definitions have achieved consensus agreement, the concrete deliverable would be to oncorporate this into the whitepaper and map efforts. Then possibly in the future into specific tooling, eg. policy definition and assessment/enforcement tools.
Scope: How much effort will this take? ok to provide a range of options if or "not yet determined"
Additional info:
The text was updated successfully, but these errors were encountered: