1 Achieving Security Compliance Monitoring with Open Policy Agent and Rego Mercari Security Hiroki Suezawa (@rung) David Chapdelaine July 7th 2021, Open Policy Agent Rego Knowledge Sharing Meetup Lightning Talks

2 Agenda Dynamic Policies with External Data 02 01 Why OPA & Rego for Security Compliance

3 ● Why? ○ Need to handle structured security log ○ Need to analyze wide variety of audit and security logs from various sources. ○ Need to use the policy engine for automated response. ● OPA ○ Able to manage Policy as code in Rego easily ○ Unified way to write the policies in one language across different technologies. ○ Testing and coverage support. ○ Simple to deploy and maintain using GitOps ○ Built-in Decision Logs. ○ Ability to build complex responses and not just pass/fail. ○ Strong adoption in the OSS community and Cloud Native Why OPA & Rego for security compliance

4 OPA serverless deployment ● Policy as code ● Scalable ● GitOps

5 Use cases Security compliance monitoring

6 Case 1: Auditing Google Cloud IAM changes

7 Case 2: BigQuery dataset made public For notification For automated response

8 Dynamic policies Using external data for decisions

9 ● In some cases, policies require data that can change often, aren’t fully known at policy creation, or would simply be impractical to embed and manage inside the policy. Examples: ○ Suspicious IP address list ○ Groups to users list ○ Employee list with high privileged access ● It’s possible to leverage OPA policy document model data object ● We built an OPA Data server that can provide the data to OPA server ● OPA Data Server is called from OPA policies using built-in http functions. ○ It uses OPA package in Go. it’s very flexible. Using dynamic external data for policies

10 OPA Data Server

11 Case 3: Detect threat actor activity

12 Data fetch for policies

13 Summary ● OPA and Rego is very flexible and useful for automation when handling structured security log. ○ Able to use the ecosystem easily ○ Able to handle various logs ○ Able to use scalable technology and stable GitOps for policy ● We can extend the ability when needed ○ Rego can be able to handle dynamic rule by HTTP request