Slide 1

Slide 1 text

1 Achieving Security Compliance Monitoring with Open Policy Agent and Rego Mercari Security Hiroki Suezawa (@rung) David Chapdelaine July 7th 2021, Open Policy Agent Rego Knowledge Sharing Meetup Lightning Talks

Slide 2

Slide 2 text

2 Agenda Dynamic Policies with External Data 02 01 Why OPA & Rego for Security Compliance

Slide 3

Slide 3 text

3 ● Why? ○ Need to handle structured security log ○ Need to analyze wide variety of audit and security logs from various sources. ○ Need to use the policy engine for automated response. ● OPA ○ Able to manage Policy as code in Rego easily ○ Unified way to write the policies in one language across different technologies. ○ Testing and coverage support. ○ Simple to deploy and maintain using GitOps ○ Built-in Decision Logs. ○ Ability to build complex responses and not just pass/fail. ○ Strong adoption in the OSS community and Cloud Native Why OPA & Rego for security compliance

Slide 4

Slide 4 text

4 OPA serverless deployment ● Policy as code ● Scalable ● GitOps

Slide 5

Slide 5 text

5 Use cases Security compliance monitoring

Slide 6

Slide 6 text

6 Case 1: Auditing Google Cloud IAM changes

Slide 7

Slide 7 text

7 Case 2: BigQuery dataset made public For notification For automated response

Slide 8

Slide 8 text

8 Dynamic policies Using external data for decisions

Slide 9

Slide 9 text

9 ● In some cases, policies require data that can change often, aren’t fully known at policy creation, or would simply be impractical to embed and manage inside the policy. Examples: ○ Suspicious IP address list ○ Groups to users list ○ Employee list with high privileged access ● It’s possible to leverage OPA policy document model data object ● We built an OPA Data server that can provide the data to OPA server ● OPA Data Server is called from OPA policies using built-in http functions. ○ It uses OPA package in Go. it’s very flexible. Using dynamic external data for policies

Slide 10

Slide 10 text

10 OPA Data Server

Slide 11

Slide 11 text

11 Case 3: Detect threat actor activity

Slide 12

Slide 12 text

12 Data fetch for policies

Slide 13

Slide 13 text

13 Summary ● OPA and Rego is very flexible and useful for automation when handling structured security log. ○ Able to use the ecosystem easily ○ Able to handle various logs ○ Able to use scalable technology and stable GitOps for policy ● We can extend the ability when needed ○ Rego can be able to handle dynamic rule by HTTP request