Explain how we use OPA for Security Compliance Monitoring.
Youtube Video (in Japanese)
Achieving Security Compliance Monitoring with
Open Policy Agent and Rego
Hiroki Suezawa (@rung)
July 7th 2021,
Open Policy Agent Rego Knowledge Sharing Meetup
Dynamic Policies with External Data
01 Why OPA & Rego for Security Compliance
○ Need to handle structured security log
○ Need to analyze wide variety of audit and security logs from various sources.
○ Need to use the policy engine for automated response.
○ Able to manage Policy as code in Rego easily
○ Uniﬁed way to write the policies in one language across different technologies.
○ Testing and coverage support.
○ Simple to deploy and maintain using GitOps
○ Built-in Decision Logs.
○ Ability to build complex responses and not just pass/fail.
○ Strong adoption in the OSS community and Cloud Native
Why OPA & Rego for security compliance
OPA serverless deployment
● Policy as code
Security compliance monitoring
Case 1: Auditing Google Cloud IAM changes
Case 2: BigQuery dataset made public
Using external data for decisions
● In some cases, policies require data that can change often, aren’t
fully known at policy creation, or would simply be impractical to
embed and manage inside the policy. Examples:
○ Suspicious IP address list
○ Groups to users list
○ Employee list with high privileged access
● It’s possible to leverage OPA policy document model data object
● We built an OPA Data server that can provide the data to OPA
● OPA Data Server is called from OPA policies using built-in http
○ It uses OPA package in Go. it’s very ﬂexible.
Using dynamic external data for policies
OPA Data Server
Case 3: Detect threat actor activity
Data fetch for policies
● OPA and Rego is very ﬂexible and useful for automation when
handling structured security log.
○ Able to use the ecosystem easily
○ Able to handle various logs
○ Able to use scalable technology and stable GitOps for policy
● We can extend the ability when needed
○ Rego can be able to handle dynamic rule by HTTP request