Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Achieving Security Compliance Monitoring with Open Policy Agent and Rego

Achieving Security Compliance Monitoring with Open Policy Agent and Rego

Explain how we use OPA for Security Compliance Monitoring.

Youtube Video (in Japanese)
https://www.youtube.com/watch?v=0YpJhrz6L0A&t=2129

Dc03bf56cb3157b6036f9818593d7e40?s=128

Hiroki Suezawa

July 07, 2021
Tweet

Transcript

  1. 1 Achieving Security Compliance Monitoring with Open Policy Agent and

    Rego Mercari Security Hiroki Suezawa (@rung) David Chapdelaine July 7th 2021, Open Policy Agent Rego Knowledge Sharing Meetup Lightning Talks
  2. 2 Agenda Dynamic Policies with External Data 02 01 Why

    OPA & Rego for Security Compliance
  3. 3 • Why? ◦ Need to handle structured security log

    ◦ Need to analyze wide variety of audit and security logs from various sources. ◦ Need to use the policy engine for automated response. • OPA ◦ Able to manage Policy as code in Rego easily ◦ Unified way to write the policies in one language across different technologies. ◦ Testing and coverage support. ◦ Simple to deploy and maintain using GitOps ◦ Built-in Decision Logs. ◦ Ability to build complex responses and not just pass/fail. ◦ Strong adoption in the OSS community and Cloud Native Why OPA & Rego for security compliance
  4. 4 OPA serverless deployment • Policy as code • Scalable

    • GitOps
  5. 5 Use cases Security compliance monitoring

  6. 6 Case 1: Auditing Google Cloud IAM changes

  7. 7 Case 2: BigQuery dataset made public For notification For

    automated response
  8. 8 Dynamic policies Using external data for decisions

  9. 9 • In some cases, policies require data that can

    change often, aren’t fully known at policy creation, or would simply be impractical to embed and manage inside the policy. Examples: ◦ Suspicious IP address list ◦ Groups to users list ◦ Employee list with high privileged access • It’s possible to leverage OPA policy document model data object • We built an OPA Data server that can provide the data to OPA server • OPA Data Server is called from OPA policies using built-in http functions. ◦ It uses OPA package in Go. it’s very flexible. Using dynamic external data for policies
  10. 10 OPA Data Server

  11. 11 Case 3: Detect threat actor activity

  12. 12 Data fetch for policies

  13. 13 Summary • OPA and Rego is very flexible and

    useful for automation when handling structured security log. ◦ Able to use the ecosystem easily ◦ Able to handle various logs ◦ Able to use scalable technology and stable GitOps for policy • We can extend the ability when needed ◦ Rego can be able to handle dynamic rule by HTTP request