Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Achieving Security Compliance Monitoring with O...

Achieving Security Compliance Monitoring with Open Policy Agent and Rego

Explain how we use OPA for Security Compliance Monitoring.

Youtube Video (in Japanese)
https://www.youtube.com/watch?v=0YpJhrz6L0A&t=2129

Hiroki Suezawa (@rung)

July 07, 2021
Tweet

More Decks by Hiroki Suezawa (@rung)

Other Decks in Technology

Transcript

  1. 1 Achieving Security Compliance Monitoring with Open Policy Agent and

    Rego Mercari Security Hiroki Suezawa (@rung) David Chapdelaine July 7th 2021, Open Policy Agent Rego Knowledge Sharing Meetup Lightning Talks
  2. 2 Agenda Dynamic Policies with External Data 02 01 Why

    OPA & Rego for Security Compliance
  3. 3 • Why? ◦ Need to handle structured security log

    ◦ Need to analyze wide variety of audit and security logs from various sources. ◦ Need to use the policy engine for automated response. • OPA ◦ Able to manage Policy as code in Rego easily ◦ Unified way to write the policies in one language across different technologies. ◦ Testing and coverage support. ◦ Simple to deploy and maintain using GitOps ◦ Built-in Decision Logs. ◦ Ability to build complex responses and not just pass/fail. ◦ Strong adoption in the OSS community and Cloud Native Why OPA & Rego for security compliance
  4. 9 • In some cases, policies require data that can

    change often, aren’t fully known at policy creation, or would simply be impractical to embed and manage inside the policy. Examples: ◦ Suspicious IP address list ◦ Groups to users list ◦ Employee list with high privileged access • It’s possible to leverage OPA policy document model data object • We built an OPA Data server that can provide the data to OPA server • OPA Data Server is called from OPA policies using built-in http functions. ◦ It uses OPA package in Go. it’s very flexible. Using dynamic external data for policies
  5. 13 Summary • OPA and Rego is very flexible and

    useful for automation when handling structured security log. ◦ Able to use the ecosystem easily ◦ Able to handle various logs ◦ Able to use scalable technology and stable GitOps for policy • We can extend the ability when needed ◦ Rego can be able to handle dynamic rule by HTTP request