apidays New York 2025 - Fast, Repeatable, Secure: Pick 3 with FINOS CCC by Leigh Capili (Control Plane)

Transcript

1. Fast, Repeatable, Secure: Pick 3 with FINOS CCC Leigh Capili

   @stealthybox Flux Maintainer, Principal Consultant

2. What is CCC?

3. None

4. https://deploy-preview-735--common -cloud-controls.netlify.app

5. Contributing Organizations

6. @controlplaneio AI Security Challenges

7. @controlplaneio Model Selection Data Integration Data Privacy Fine-Tuning RLHF Enterprise

   Operations Model Monitoring Model Governance Model Security End User Management Prompt Engineering Context Management Input Filtering Content Guardrails Model / Compute Optimization Model Event Caching Model Compression Prompt Routing Flows Runtime Optimization GPU Optimization What is AI Security? Plus…

8. @controlplaneio Towards CRISP-ML(Q): A Machine Learning Process Model with Quality

   Assurance Methodology

9. @controlplaneio Towards CRISP-ML(Q): A Machine Learning Process Model with Quality

   Assurance Methodology

10. @controlplaneio • Low-level controls and mappings • Consideration of safety:

    Responsible AI • Discussion of accountability • In-practice, real-world use cases https://github.com/finos/ai-governance-framework FINOS: AI Governance Framework

11. https://air-governance-framework.finos.org

12. OpenSSF Logical Compliance Model Layer Name Description 1 Guidance High-level

    guidance on cybersecurity measures (i.e. NIST, OWASP, FINOS AI Gov Framework etc) 2 Controls Technology-specific, threat-informed security controls (i.e. CIS Benchmarks, FINOS Common Cloud Controls, and the Open Source Project Security (OSPS) Baseline) 3 Policy Risk-informed guidance tailored to an organization 4 Evaluation Inspection of code, configurations, and deployments 5 Enforcement Prevention or remediation based on assessment findings 6 Audit Review of organizational policy and conformance https://github.com/revanite-io/sci

13. developer mode

14. Flux D2 Architecture

15. Flux D2 Architecture - flux-operator - OCI artifact sources -

    SLSA Build L3 verification

16. Flux D2 Architecture Whitepaper and implementation are opensource: github.com/ controlplaneio-fluxcd/d2-fleet

17. Our AI Firewall github.com/ controlplaneio/ ai-security-architecture

18. In summary 🍿🍿🍿 • Compliance is hard ◦ Common Cloud

    Controls (CCC) can give us a shared base across clouds ◦ Come Participate! • AI is Risky ◦ AI Readiness Framework helps us understand and label it • The state-of-the-art in Continuous Delivery is exciting ◦ We’re working to ensure Assured Flux is CCC compliant ◦ We’re replatforming our AI Security Architecture on Flux D2

19. Thanks :) Leigh Capili @stealthybox