1 Achieving Security Compliance Monitoring with Open Policy Agent and Rego Mercari Security Hiroki Suezawa (@rung) David Chapdelaine July 7th 2021, Open Policy Agent Rego Knowledge Sharing Meetup Lightning Talks
3 ● Why? ○ Need to handle structured security log ○ Need to analyze wide variety of audit and security logs from various sources. ○ Need to use the policy engine for automated response. ● OPA ○ Able to manage Policy as code in Rego easily ○ Unified way to write the policies in one language across different technologies. ○ Testing and coverage support. ○ Simple to deploy and maintain using GitOps ○ Built-in Decision Logs. ○ Ability to build complex responses and not just pass/fail. ○ Strong adoption in the OSS community and Cloud Native Why OPA & Rego for security compliance
9 ● In some cases, policies require data that can change often, aren’t fully known at policy creation, or would simply be impractical to embed and manage inside the policy. Examples: ○ Suspicious IP address list ○ Groups to users list ○ Employee list with high privileged access ● It’s possible to leverage OPA policy document model data object ● We built an OPA Data server that can provide the data to OPA server ● OPA Data Server is called from OPA policies using built-in http functions. ○ It uses OPA package in Go. it’s very flexible. Using dynamic external data for policies
13 Summary ● OPA and Rego is very flexible and useful for automation when handling structured security log. ○ Able to use the ecosystem easily ○ Able to handle various logs ○ Able to use scalable technology and stable GitOps for policy ● We can extend the ability when needed ○ Rego can be able to handle dynamic rule by HTTP request
rung
segavvy
akiroom
fujiwara3
cybozuinsideout
sat
.png){kind=icon}
3playmarketing
ysasago
ufried
orgachem
mraible
yutoy
lwug
morganepeng
tmm1
kneath
sferik
62gerente
jmmastey
philhawksworth
davidbonilla
dotmariusz
bkeepers
danielanewman
chriscoyier