Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Achieving Security Compliance Monitoring with Open Policy Agent and Rego

Achieving Security Compliance Monitoring with Open Policy Agent and Rego

Explain how we use OPA for Security Compliance Monitoring.

Youtube Video (in Japanese)

Hiroki Suezawa (@rung)

July 07, 2021

More Decks by Hiroki Suezawa (@rung)

Other Decks in Technology


  1. 1 Achieving Security Compliance Monitoring with Open Policy Agent and

    Rego Mercari Security Hiroki Suezawa (@rung) David Chapdelaine July 7th 2021, Open Policy Agent Rego Knowledge Sharing Meetup Lightning Talks
  2. 2 Agenda Dynamic Policies with External Data 02 01 Why

    OPA & Rego for Security Compliance
  3. 3 • Why? ◦ Need to handle structured security log

    ◦ Need to analyze wide variety of audit and security logs from various sources. ◦ Need to use the policy engine for automated response. • OPA ◦ Able to manage Policy as code in Rego easily ◦ Unified way to write the policies in one language across different technologies. ◦ Testing and coverage support. ◦ Simple to deploy and maintain using GitOps ◦ Built-in Decision Logs. ◦ Ability to build complex responses and not just pass/fail. ◦ Strong adoption in the OSS community and Cloud Native Why OPA & Rego for security compliance
  4. 9 • In some cases, policies require data that can

    change often, aren’t fully known at policy creation, or would simply be impractical to embed and manage inside the policy. Examples: ◦ Suspicious IP address list ◦ Groups to users list ◦ Employee list with high privileged access • It’s possible to leverage OPA policy document model data object • We built an OPA Data server that can provide the data to OPA server • OPA Data Server is called from OPA policies using built-in http functions. ◦ It uses OPA package in Go. it’s very flexible. Using dynamic external data for policies
  5. 13 Summary • OPA and Rego is very flexible and

    useful for automation when handling structured security log. ◦ Able to use the ecosystem easily ◦ Able to handle various logs ◦ Able to use scalable technology and stable GitOps for policy • We can extend the ability when needed ◦ Rego can be able to handle dynamic rule by HTTP request