[Suggestion] Integration of Certificate LCM with related security processes #1035
Labels
inactive
No activity on issue/PR
suggestion
New suggestion for the CNCF sig-security group that don't fall into an existing category
triage-required
Requires triage
Description: Add and integrate certificate management best practices, principles with other recommendations
Impact: Improve security posture for selected use cases, Enhance productivity where automation support can be added. Potentially add an additional trust layer for zero trust.
Scope: Minimally, a day of research, reading, a day of drafting with a second day to edit. A deeper, more opinionated / influential review would embed certificate recommendations into other CNCF Security TAG artifacts.
Suggested Subtopics | Selected References
SDLC, for cloud native, particularly as integrated with CI/CD but also IaC
Identify best practices for three recognized categories of SSL certificate authentication types:
Protocol Support
Asset management: Protecting digital and non-digital assets; e.g., ServiceNow ITOM
Zero trust. See AppviewX post. E.g., cert revocation offers a trust layer
Where SPIFFE fits in
Certificate Discovery
Tool stack interop: e.g., ServiceNow, Collibra
Support for metadata management
How DevOps tools leverage PKI (suggested by Appviewx)
Identity & Identity Access Management: tie to certificate LCM
Service as Orchestrated, Identified Asset (See INCOSE service metamodels)
From Venafi: Figure 6: The Blueprint for a Modern Machine Identity Management Architecture
TLS in Kubernetes https://kubernetes.io/docs/tasks/tls/ and https://snyk.io/blog/setting-up-ssl-tls-for-kubernetes-ingress/
Indirectly related topics:
Related IEEE/ISO Standards
Less useful, except as applied to IoT
The text was updated successfully, but these errors were encountered: