SlideShare a Scribd company logo

CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf

L
LibbySchulze

CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf

Internet
1 of 26
Download to read offline
Joey Lei Principal Product Manager Kasten by Veeam Anders Eknert Developer Advocate Styra Data Protection Guardrails w/ Open Policy Agent (OPA)
© 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Joey Lei • Software Engineering and Product • Former Dell EMC Data Protection • Former Managed Services Portfolio Director Anders Eknert • Software Engineering and Advocacy • Long background in the identity space • Worked with OPA both as an end-user and maintainer About the Speakers Joey Anders
© 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. What is Policy? Policy as Code? Policy is a set of rules • Organizational rules • Permissions for app authorization • Kubernetes admission control • Infrastructure • Builds and deployment • Data filtering • Much more! Policy as Code Treating policy as code provides all the benefits of treating anything as code • Collaboration • Peer review • Testing • Static analysis, linters • No more PDF documents! Decoupling policy from application and business logic means policy can change independently of application life cycle. Policy may be shared across teams and functions. Clear separation of responsibilities.
© 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Open Policy Agent (OPA) Open Source General Purpose Policy Engine • As of February 2021, Graduated CNCF project • Unified toolset and framework for policy across the stack • Decouples policy from application logic • Separates policy decision from enforcement • Policies written in declarative language Rego
© 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Open Policy Agent — Community • 250+ contributors • 70+ integrations • “Used by” 800+ GitHub projects • 6600+ Github Stars • 5800+ Slack users • 130+ million downloads • Ecosystem including Conftest, Gatekeeper, VS Code and IntelliJ editor plugins.
© 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Open Policy Agent
How Does it Work? Policy Decision Model Rego
© 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. OPA — Policy Decision Model Linux PAM Service OPA Policy (Rego) Data (JSON) Request Policy Decision Policy Query Input can be ANY JSON value Output can be ANY JSON value
© 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. OPA — Rego • Rego — declarative high-level policy language • Allows you to describe policy across the cloud-native stack • Policy consists of any number of rules • Rules commonly return true/false but may return any type available in JSON, like strings, lists and objects • Policy testing made easy with provided unit test framework • Well documented! https://www.openpolicyagent.org/docs/latest • Try it out! https://play.openpolicyagent.org/
Demo Policy Authoring with Rego
Data Protection Guardrails with OPA
© 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Risk Management Meets Data Management Confidentiality aims to protect data from unauthorized access and misuse (confidentiality breach results in exploitation of customers) Integrity aims to protect data from alteration, preserving accuracy and completeness (integrity breach results in loss in trust, churn) Availability aims to enable timely access to data for authorized users when they need it (unavailability results in lost sales/revenue) Understanding C-I-A Helps Identify Opportunities for Minimizing Financial Impact
© 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. 81%1 of a popular Infrastructure as Code platform’s community provided modules fail to enable backup and recovery properly. Data Protection Policy Guardrails 1. Source: Bridgecrew by Prisma Cloud (PANW) Data Protection Resources (CRD’s) Role Based Access Control (RBAC) Grants API Access Policy Guardrails Policy as Code
© 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Create Branch Main Branch • Commit Prod IaC • Commit Data Protection IaC • Get Feedback • Data Protection Guardrails Enforcement Merge Branch Pull Request </> Data Protection Guardrails – GitOps Workflow
© 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Git as a source of truth • Best suited for app developers • Avoid misconfigurations in IaC • Deploy consistently every time Commit-time feedback • Check resources against policies in pull requests • Integrate into any CI/CD for instant developer feedback Data Protection Guardrails – GitOps CI Testing ✔ 3-2-1 Backup ✔ 7YR Retention ✔ Hourly RPO companygithub / prod-dp-spec / backup-policy.yaml apiVersion: policy.backup.io/v1alpha1 kind: Policy metadata: name: backup-policy spec: retention: years: [7] actions: - action: backup frequency: ‘@hourly' - action: backup-copy companygithub / prod-dp-spec / backup-target.yaml apiVersion: policy.backup.io/v1alpha1 kind: Profile metadata: name: backup-target namespace: mission-critical-app location: objectstore: #object-lock: true ❌ Immutability pseudocode
© 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Deploy-time feedback • Best suited for CloudOps or Data Protection Specialists • Instant feedback during deployment of apps/infra Data Protection Guardrails – Admission Control Admission Control Authorization Authentication K8s API Call kind: StatefulSet metadata: name: critical-app namespace: prod labels: dataprotection: gold-policy
Recommended Policies
© 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Data Protection Policy Primer Context: • Security access policies mitigate risk of unauthorized access (enforces confidentiality) • Data protection and availability policies mitigate risk of data loss and service outages (enforces availability) A standard data protection policy defines: • The amount of acceptable data loss (Recovery Point Objective or RPO) • The amount of acceptable downtime (Recovery Time Objective or RTO)
© 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Recovery Objectives (RPO and RTO) Recovery Point Objective • Less than 24H for General Purpose • Less than 15 minutes or <= 1 hour for Mission Critical Target Resource Types: • Policy • Schedule • CronJob Recovery Time Objective • <= Less than 8-12 hours for General Purpose • <=Within 1-3 hours for Mission Critical Target Resource Types: • Action • Restore • Job apiVersion: backup.io/v1alpha1 kind: Policy metadata: name: backup-policy spec: retention: months: [3] actions: - action: backup schedule: ‘@hourly’ - action: backup-copy pseudocode allow { input.request.object.kind == "Policy" input.request.kind.group == "backup.io" has_backup_policy } has_backup_policy { spec := input.request.object.spec.actions some action in action.schedule == "@hourly" }
© 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Ransomware Protection Air Gap or Immutability • Sending backup data to storage targets configured with either S3 ”Object Lock” or ”Air Gap” Target Resource Types: • BackupTarget • PersistentVolumeClaim • Target • LocationProfile • Location apiVersion: backup.io/v1alpha1 kind: BackupTarget metadata: name: aws-west-2-target spec: cloudprovider: aws region: us-west-2 bucket-name: storage-bucket advanced: object-lock: true allow { spec := input.request.spec spec.cloudprovider == "aws" spec.advanced["object-lock"] == true } allow { spec := input.request.spec spec.cloudprovider == "aws" spec.advanced["air-gap"] == true }
© 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Retention Objectives Federal Information Security Management Act (FISMA): 3 Years National Energy Commission (NERC) – 3 to 6 Years Basel II Capital Accord – 3 to 7 Years Sarbanes-Oxley Act of 2002 (SOX) – 7 Years Health Insurance Portability and Accountability Act (HIPAA) - 6 Years National Industrial Security Program Operating Manual (NISPOM) – 6 to 12 Months Payment Card Industry Data Security Standard (PCI-DSS) – Variable Target Resource Types: • Policy • Schedule • CronJob apiVersion: backup.io/v1alpha1 kind: Policy metadata: name: backup-policy spec: retention: years: [7] actions: - action: backup schedule: ‘@daily’ - action: backup-copy OPA code here
© 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. 3-2-1 Backup The Rule of “3-2-1” • 3 Copies of Data • 2 Copies on Different Storage Mediums • 1 ”Offsite” (or in cloud) The Rule of “3-2-1-1-0” • 3 Copies of Data • 2 Copies on Different Storage Mediums • 1 ”Offsite” (or in cloud) • 1 Air Gapped or Immutable • 0 Recovery Verification Errors apiVersion: backup.io/v1alpha1 kind: Policy metadata: name: backup-policy spec: retention: years: [7] actions: - action: backup schedule: ‘@daily’ - action: backup-copy allow { input.request.object.kind == "Policy" spec := input.request.object.spec actions := [action | action := spec.actions[_].action ] "backup" in actions "backup-copy" in actions }
© 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Exfiltration Protection “Living off the Land” Attack • Use of the data protection “restore” functionality to exfiltrate data Whitelist Restore Destinations • Namespaces • BackupTargets • Clusters NOTE: Does not protect all ways to exfiltrate data! apiVersion: restore.io/v1alpha1 kind: RestoreJob metadata: name: restore-job spec: target: namespace: prod-copy actions: - action: restore schedule: ‘now’ OPA code here
Demo Data Protection Policy Guardrails in CI/CD
Questions?
Thank You

Recommended

Amazon RDS Proxy 집중 탐구 - 윤석찬 :: AWS Unboxing 온라인 세미나
Amazon RDS Proxy 집중 탐구 - 윤석찬 :: AWS Unboxing 온라인 세미나Amazon RDS Proxy 집중 탐구 - 윤석찬 :: AWS Unboxing 온라인 세미나
Amazon RDS Proxy 집중 탐구 - 윤석찬 :: AWS Unboxing 온라인 세미나Amazon Web Services Korea
 
Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Torin Sandall
 
AWS 기반 Kubernetes 정복하기::정영준:: AWS Summit Seoul 2018
AWS 기반 Kubernetes 정복하기::정영준:: AWS Summit Seoul 2018 AWS 기반 Kubernetes 정복하기::정영준:: AWS Summit Seoul 2018
AWS 기반 Kubernetes 정복하기::정영준:: AWS Summit Seoul 2018 Amazon Web Services Korea
 
AWS 상의 컨테이너 서비스 소개 ECS, EKS - 이종립 / Principle Enterprise Evangelist @베스핀글로벌
AWS 상의 컨테이너 서비스 소개 ECS, EKS - 이종립 / Principle Enterprise Evangelist @베스핀글로벌AWS 상의 컨테이너 서비스 소개 ECS, EKS - 이종립 / Principle Enterprise Evangelist @베스핀글로벌
AWS 상의 컨테이너 서비스 소개 ECS, EKS - 이종립 / Principle Enterprise Evangelist @베스핀글로벌BESPIN GLOBAL
 
K8s, Amazon EKS - 유재석, AWS 솔루션즈 아키텍트
K8s, Amazon EKS - 유재석, AWS 솔루션즈 아키텍트K8s, Amazon EKS - 유재석, AWS 솔루션즈 아키텍트
K8s, Amazon EKS - 유재석, AWS 솔루션즈 아키텍트Amazon Web Services Korea
 
Amazon DocumentDB vs MongoDB 의 내부 아키텍쳐 와 장단점 비교
Amazon DocumentDB vs MongoDB 의 내부 아키텍쳐 와 장단점 비교Amazon DocumentDB vs MongoDB 의 내부 아키텍쳐 와 장단점 비교
Amazon DocumentDB vs MongoDB 의 내부 아키텍쳐 와 장단점 비교Amazon Web Services Korea
 
Opa gatekeeper
Opa gatekeeperOpa gatekeeper
Opa gatekeeperRita Zhang
 
Containers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes IstioContainers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes IstioAraf Karsh Hamid
 

Recommended

Amazon RDS Proxy 집중 탐구 - 윤석찬 :: AWS Unboxing 온라인 세미나
Amazon RDS Proxy 집중 탐구 - 윤석찬 :: AWS Unboxing 온라인 세미나Amazon RDS Proxy 집중 탐구 - 윤석찬 :: AWS Unboxing 온라인 세미나
Amazon RDS Proxy 집중 탐구 - 윤석찬 :: AWS Unboxing 온라인 세미나Amazon Web Services Korea
 
Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Torin Sandall
 
AWS 기반 Kubernetes 정복하기::정영준:: AWS Summit Seoul 2018
AWS 기반 Kubernetes 정복하기::정영준:: AWS Summit Seoul 2018 AWS 기반 Kubernetes 정복하기::정영준:: AWS Summit Seoul 2018
AWS 기반 Kubernetes 정복하기::정영준:: AWS Summit Seoul 2018 Amazon Web Services Korea
 
AWS 상의 컨테이너 서비스 소개 ECS, EKS - 이종립 / Principle Enterprise Evangelist @베스핀글로벌
AWS 상의 컨테이너 서비스 소개 ECS, EKS - 이종립 / Principle Enterprise Evangelist @베스핀글로벌AWS 상의 컨테이너 서비스 소개 ECS, EKS - 이종립 / Principle Enterprise Evangelist @베스핀글로벌
AWS 상의 컨테이너 서비스 소개 ECS, EKS - 이종립 / Principle Enterprise Evangelist @베스핀글로벌BESPIN GLOBAL
 
K8s, Amazon EKS - 유재석, AWS 솔루션즈 아키텍트
K8s, Amazon EKS - 유재석, AWS 솔루션즈 아키텍트K8s, Amazon EKS - 유재석, AWS 솔루션즈 아키텍트
K8s, Amazon EKS - 유재석, AWS 솔루션즈 아키텍트Amazon Web Services Korea
 
Amazon DocumentDB vs MongoDB 의 내부 아키텍쳐 와 장단점 비교
Amazon DocumentDB vs MongoDB 의 내부 아키텍쳐 와 장단점 비교Amazon DocumentDB vs MongoDB 의 내부 아키텍쳐 와 장단점 비교
Amazon DocumentDB vs MongoDB 의 내부 아키텍쳐 와 장단점 비교Amazon Web Services Korea
 
Opa gatekeeper
Opa gatekeeperOpa gatekeeper
Opa gatekeeperRita Zhang
 
Containers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes IstioContainers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes IstioAraf Karsh Hamid
 
AWS Summit Seoul 2023 | 삼성전자/쿠팡의 대규모 트래픽 처리를 위한 클라우드 네이티브 데이터베이스 활용
AWS Summit Seoul 2023 | 삼성전자/쿠팡의 대규모 트래픽 처리를 위한 클라우드 네이티브 데이터베이스 활용AWS Summit Seoul 2023 | 삼성전자/쿠팡의 대규모 트래픽 처리를 위한 클라우드 네이티브 데이터베이스 활용
AWS Summit Seoul 2023 | 삼성전자/쿠팡의 대규모 트래픽 처리를 위한 클라우드 네이티브 데이터베이스 활용Amazon Web Services Korea
 
Cloud Native, Cloud First and Hybrid: How Different Organizations are Approac...
Cloud Native, Cloud First and Hybrid: How Different Organizations are Approac...Cloud Native, Cloud First and Hybrid: How Different Organizations are Approac...
Cloud Native, Cloud First and Hybrid: How Different Organizations are Approac...Amazon Web Services
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy AgentTorin Sandall
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBACKublr
 
AWS 에서 DevOps 시작하기 – 정영준, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS 에서 DevOps 시작하기 – 정영준, AWS 솔루션즈 아키텍트:: AWS Builders Online Series AWS 에서 DevOps 시작하기 – 정영준, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS 에서 DevOps 시작하기 – 정영준, AWS 솔루션즈 아키텍트:: AWS Builders Online Series Amazon Web Services Korea
 
AWS Summit Seoul 2023 | AWS에서 최소한의 비용으로 구현하는 멀티리전 DR 자동화 구성
AWS Summit Seoul 2023 | AWS에서 최소한의 비용으로 구현하는 멀티리전 DR 자동화 구성AWS Summit Seoul 2023 | AWS에서 최소한의 비용으로 구현하는 멀티리전 DR 자동화 구성
AWS Summit Seoul 2023 | AWS에서 최소한의 비용으로 구현하는 멀티리전 DR 자동화 구성Amazon Web Services Korea
 
Azure Governance
Azure GovernanceAzure Governance
Azure GovernanceBenjamin Hüpeden
 
AWS Batch를 통한 손쉬운 일괄 처리 작업 관리하기 - 윤석찬 (AWS 테크에반젤리스트)
AWS Batch를 통한 손쉬운 일괄 처리 작업 관리하기 - 윤석찬 (AWS 테크에반젤리스트)AWS Batch를 통한 손쉬운 일괄 처리 작업 관리하기 - 윤석찬 (AWS 테크에반젤리스트)
AWS Batch를 통한 손쉬운 일괄 처리 작업 관리하기 - 윤석찬 (AWS 테크에반젤리스트)Amazon Web Services Korea
 
Amazon DynamoDB 키 디자인 패턴
Amazon DynamoDB 키 디자인 패턴Amazon DynamoDB 키 디자인 패턴
Amazon DynamoDB 키 디자인 패턴Amazon Web Services Korea
 
Arm 기반의 AWS Graviton 프로세서로 구동되는 AWS 인스턴스 살펴보기 - 김종선, AWS솔루션즈 아키텍트:: AWS Summi...
Arm 기반의 AWS Graviton 프로세서로 구동되는 AWS 인스턴스 살펴보기 - 김종선, AWS솔루션즈 아키텍트:: AWS Summi...Arm 기반의 AWS Graviton 프로세서로 구동되는 AWS 인스턴스 살펴보기 - 김종선, AWS솔루션즈 아키텍트:: AWS Summi...
Arm 기반의 AWS Graviton 프로세서로 구동되는 AWS 인스턴스 살펴보기 - 김종선, AWS솔루션즈 아키텍트:: AWS Summi...Amazon Web Services Korea
 
AWS Summit Seoul 2023 | 100만명이 사용하는 GenerativeAI 이루다를 만들면서 배운 것 : 스캐터랩의 AWS 활용법
AWS Summit Seoul 2023 | 100만명이 사용하는 GenerativeAI 이루다를 만들면서 배운 것 : 스캐터랩의 AWS 활용법AWS Summit Seoul 2023 | 100만명이 사용하는 GenerativeAI 이루다를 만들면서 배운 것 : 스캐터랩의 AWS 활용법
AWS Summit Seoul 2023 | 100만명이 사용하는 GenerativeAI 이루다를 만들면서 배운 것 : 스캐터랩의 AWS 활용법Amazon Web Services Korea
 
롯데이커머스의 마이크로 서비스 아키텍처 진화와 비용 관점의 운영 노하우-나현길, 롯데이커머스 클라우드플랫폼 팀장::AWS 마이그레이션 A ...
롯데이커머스의 마이크로 서비스 아키텍처 진화와 비용 관점의 운영 노하우-나현길, 롯데이커머스 클라우드플랫폼 팀장::AWS 마이그레이션 A ...롯데이커머스의 마이크로 서비스 아키텍처 진화와 비용 관점의 운영 노하우-나현길, 롯데이커머스 클라우드플랫폼 팀장::AWS 마이그레이션 A ...
롯데이커머스의 마이크로 서비스 아키텍처 진화와 비용 관점의 운영 노하우-나현길, 롯데이커머스 클라우드플랫폼 팀장::AWS 마이그레이션 A ...Amazon Web Services Korea
 
데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...
데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...
데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...Amazon Web Services Korea
 
Well Architected Framework - Data
Well Architected Framework - Data Well Architected Framework - Data
Well Architected Framework - Data Craig Milroy
 
AWS Summit Seoul 2023 | Amazon EKS 데이터 전송 비용 절감 및 카오스 엔지니어링 적용 사례
AWS Summit Seoul 2023 | Amazon EKS 데이터 전송 비용 절감 및 카오스 엔지니어링 적용 사례AWS Summit Seoul 2023 | Amazon EKS 데이터 전송 비용 절감 및 카오스 엔지니어링 적용 사례
AWS Summit Seoul 2023 | Amazon EKS 데이터 전송 비용 절감 및 카오스 엔지니어링 적용 사례Amazon Web Services Korea
 
Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링
Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링
Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링Amazon Web Services Korea
 
AWS Summit Seoul 2023 | 천만 사용자를 위한 카카오의 AWS Native 글로벌 채팅 서비스
AWS Summit Seoul 2023 | 천만 사용자를 위한 카카오의 AWS Native 글로벌 채팅 서비스AWS Summit Seoul 2023 | 천만 사용자를 위한 카카오의 AWS Native 글로벌 채팅 서비스
AWS Summit Seoul 2023 | 천만 사용자를 위한 카카오의 AWS Native 글로벌 채팅 서비스Amazon Web Services Korea
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREAraf Karsh Hamid
 
Jenkins를 활용한 Openshift CI/CD 구성
Jenkins를 활용한 Openshift CI/CD 구성 Jenkins를 활용한 Openshift CI/CD 구성
Jenkins를 활용한 Openshift CI/CD 구성 rockplace
 
AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...
AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...
AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...Amazon Web Services Korea
 
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays
 
Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...Kal BO
 

More Related Content

What's hot

AWS Summit Seoul 2023 | 삼성전자/쿠팡의 대규모 트래픽 처리를 위한 클라우드 네이티브 데이터베이스 활용
AWS Summit Seoul 2023 | 삼성전자/쿠팡의 대규모 트래픽 처리를 위한 클라우드 네이티브 데이터베이스 활용AWS Summit Seoul 2023 | 삼성전자/쿠팡의 대규모 트래픽 처리를 위한 클라우드 네이티브 데이터베이스 활용
AWS Summit Seoul 2023 | 삼성전자/쿠팡의 대규모 트래픽 처리를 위한 클라우드 네이티브 데이터베이스 활용Amazon Web Services Korea
 
Cloud Native, Cloud First and Hybrid: How Different Organizations are Approac...
Cloud Native, Cloud First and Hybrid: How Different Organizations are Approac...Cloud Native, Cloud First and Hybrid: How Different Organizations are Approac...
Cloud Native, Cloud First and Hybrid: How Different Organizations are Approac...Amazon Web Services
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBACKublr
 
AWS 에서 DevOps 시작하기 – 정영준, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS 에서 DevOps 시작하기 – 정영준, AWS 솔루션즈 아키텍트:: AWS Builders Online Series AWS 에서 DevOps 시작하기 – 정영준, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS 에서 DevOps 시작하기 – 정영준, AWS 솔루션즈 아키텍트:: AWS Builders Online Series Amazon Web Services Korea
 
AWS Summit Seoul 2023 | AWS에서 최소한의 비용으로 구현하는 멀티리전 DR 자동화 구성
AWS Summit Seoul 2023 | AWS에서 최소한의 비용으로 구현하는 멀티리전 DR 자동화 구성AWS Summit Seoul 2023 | AWS에서 최소한의 비용으로 구현하는 멀티리전 DR 자동화 구성
AWS Summit Seoul 2023 | AWS에서 최소한의 비용으로 구현하는 멀티리전 DR 자동화 구성Amazon Web Services Korea
 
AWS Batch를 통한 손쉬운 일괄 처리 작업 관리하기 - 윤석찬 (AWS 테크에반젤리스트)
AWS Batch를 통한 손쉬운 일괄 처리 작업 관리하기 - 윤석찬 (AWS 테크에반젤리스트)AWS Batch를 통한 손쉬운 일괄 처리 작업 관리하기 - 윤석찬 (AWS 테크에반젤리스트)
AWS Batch를 통한 손쉬운 일괄 처리 작업 관리하기 - 윤석찬 (AWS 테크에반젤리스트)Amazon Web Services Korea
 
Arm 기반의 AWS Graviton 프로세서로 구동되는 AWS 인스턴스 살펴보기 - 김종선, AWS솔루션즈 아키텍트:: AWS Summi...
Arm 기반의 AWS Graviton 프로세서로 구동되는 AWS 인스턴스 살펴보기 - 김종선, AWS솔루션즈 아키텍트:: AWS Summi...Arm 기반의 AWS Graviton 프로세서로 구동되는 AWS 인스턴스 살펴보기 - 김종선, AWS솔루션즈 아키텍트:: AWS Summi...
Arm 기반의 AWS Graviton 프로세서로 구동되는 AWS 인스턴스 살펴보기 - 김종선, AWS솔루션즈 아키텍트:: AWS Summi...Amazon Web Services Korea
 
AWS Summit Seoul 2023 | 100만명이 사용하는 GenerativeAI 이루다를 만들면서 배운 것 : 스캐터랩의 AWS 활용법
AWS Summit Seoul 2023 | 100만명이 사용하는 GenerativeAI 이루다를 만들면서 배운 것 : 스캐터랩의 AWS 활용법AWS Summit Seoul 2023 | 100만명이 사용하는 GenerativeAI 이루다를 만들면서 배운 것 : 스캐터랩의 AWS 활용법
AWS Summit Seoul 2023 | 100만명이 사용하는 GenerativeAI 이루다를 만들면서 배운 것 : 스캐터랩의 AWS 활용법Amazon Web Services Korea
 
롯데이커머스의 마이크로 서비스 아키텍처 진화와 비용 관점의 운영 노하우-나현길, 롯데이커머스 클라우드플랫폼 팀장::AWS 마이그레이션 A ...
롯데이커머스의 마이크로 서비스 아키텍처 진화와 비용 관점의 운영 노하우-나현길, 롯데이커머스 클라우드플랫폼 팀장::AWS 마이그레이션 A ...롯데이커머스의 마이크로 서비스 아키텍처 진화와 비용 관점의 운영 노하우-나현길, 롯데이커머스 클라우드플랫폼 팀장::AWS 마이그레이션 A ...
롯데이커머스의 마이크로 서비스 아키텍처 진화와 비용 관점의 운영 노하우-나현길, 롯데이커머스 클라우드플랫폼 팀장::AWS 마이그레이션 A ...Amazon Web Services Korea
 
데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...
데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...
데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...Amazon Web Services Korea
 
Well Architected Framework - Data
Well Architected Framework - Data Well Architected Framework - Data
Well Architected Framework - Data Craig Milroy
 
AWS Summit Seoul 2023 | Amazon EKS 데이터 전송 비용 절감 및 카오스 엔지니어링 적용 사례
AWS Summit Seoul 2023 | Amazon EKS 데이터 전송 비용 절감 및 카오스 엔지니어링 적용 사례AWS Summit Seoul 2023 | Amazon EKS 데이터 전송 비용 절감 및 카오스 엔지니어링 적용 사례
AWS Summit Seoul 2023 | Amazon EKS 데이터 전송 비용 절감 및 카오스 엔지니어링 적용 사례Amazon Web Services Korea
 
Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링
Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링
Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링Amazon Web Services Korea
 
AWS Summit Seoul 2023 | 천만 사용자를 위한 카카오의 AWS Native 글로벌 채팅 서비스
AWS Summit Seoul 2023 | 천만 사용자를 위한 카카오의 AWS Native 글로벌 채팅 서비스AWS Summit Seoul 2023 | 천만 사용자를 위한 카카오의 AWS Native 글로벌 채팅 서비스
AWS Summit Seoul 2023 | 천만 사용자를 위한 카카오의 AWS Native 글로벌 채팅 서비스Amazon Web Services Korea
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREAraf Karsh Hamid
 
Jenkins를 활용한 Openshift CI/CD 구성
Jenkins를 활용한 Openshift CI/CD 구성 Jenkins를 활용한 Openshift CI/CD 구성
Jenkins를 활용한 Openshift CI/CD 구성 rockplace
 
AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...
AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...
AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...Amazon Web Services Korea
 

What's hot (20)

AWS Summit Seoul 2023 | 삼성전자/쿠팡의 대규모 트래픽 처리를 위한 클라우드 네이티브 데이터베이스 활용
AWS Summit Seoul 2023 | 삼성전자/쿠팡의 대규모 트래픽 처리를 위한 클라우드 네이티브 데이터베이스 활용AWS Summit Seoul 2023 | 삼성전자/쿠팡의 대규모 트래픽 처리를 위한 클라우드 네이티브 데이터베이스 활용
AWS Summit Seoul 2023 | 삼성전자/쿠팡의 대규모 트래픽 처리를 위한 클라우드 네이티브 데이터베이스 활용
 
Cloud Native, Cloud First and Hybrid: How Different Organizations are Approac...
Cloud Native, Cloud First and Hybrid: How Different Organizations are Approac...Cloud Native, Cloud First and Hybrid: How Different Organizations are Approac...
Cloud Native, Cloud First and Hybrid: How Different Organizations are Approac...
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
 
Introduction to Kubernetes RBAC
Introduction to Kubernetes RBACIntroduction to Kubernetes RBAC
Introduction to Kubernetes RBAC
 
AWS 에서 DevOps 시작하기 – 정영준, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS 에서 DevOps 시작하기 – 정영준, AWS 솔루션즈 아키텍트:: AWS Builders Online Series AWS 에서 DevOps 시작하기 – 정영준, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS 에서 DevOps 시작하기 – 정영준, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
 
AWS Summit Seoul 2023 | AWS에서 최소한의 비용으로 구현하는 멀티리전 DR 자동화 구성
AWS Summit Seoul 2023 | AWS에서 최소한의 비용으로 구현하는 멀티리전 DR 자동화 구성AWS Summit Seoul 2023 | AWS에서 최소한의 비용으로 구현하는 멀티리전 DR 자동화 구성
AWS Summit Seoul 2023 | AWS에서 최소한의 비용으로 구현하는 멀티리전 DR 자동화 구성
 
Azure Governance
Azure GovernanceAzure Governance
Azure Governance
 
AWS Batch를 통한 손쉬운 일괄 처리 작업 관리하기 - 윤석찬 (AWS 테크에반젤리스트)
AWS Batch를 통한 손쉬운 일괄 처리 작업 관리하기 - 윤석찬 (AWS 테크에반젤리스트)AWS Batch를 통한 손쉬운 일괄 처리 작업 관리하기 - 윤석찬 (AWS 테크에반젤리스트)
AWS Batch를 통한 손쉬운 일괄 처리 작업 관리하기 - 윤석찬 (AWS 테크에반젤리스트)
 
Amazon DynamoDB 키 디자인 패턴
Amazon DynamoDB 키 디자인 패턴Amazon DynamoDB 키 디자인 패턴
Amazon DynamoDB 키 디자인 패턴
 
Arm 기반의 AWS Graviton 프로세서로 구동되는 AWS 인스턴스 살펴보기 - 김종선, AWS솔루션즈 아키텍트:: AWS Summi...
Arm 기반의 AWS Graviton 프로세서로 구동되는 AWS 인스턴스 살펴보기 - 김종선, AWS솔루션즈 아키텍트:: AWS Summi...Arm 기반의 AWS Graviton 프로세서로 구동되는 AWS 인스턴스 살펴보기 - 김종선, AWS솔루션즈 아키텍트:: AWS Summi...
Arm 기반의 AWS Graviton 프로세서로 구동되는 AWS 인스턴스 살펴보기 - 김종선, AWS솔루션즈 아키텍트:: AWS Summi...
 
AWS Summit Seoul 2023 | 100만명이 사용하는 GenerativeAI 이루다를 만들면서 배운 것 : 스캐터랩의 AWS 활용법
AWS Summit Seoul 2023 | 100만명이 사용하는 GenerativeAI 이루다를 만들면서 배운 것 : 스캐터랩의 AWS 활용법AWS Summit Seoul 2023 | 100만명이 사용하는 GenerativeAI 이루다를 만들면서 배운 것 : 스캐터랩의 AWS 활용법
AWS Summit Seoul 2023 | 100만명이 사용하는 GenerativeAI 이루다를 만들면서 배운 것 : 스캐터랩의 AWS 활용법
 
롯데이커머스의 마이크로 서비스 아키텍처 진화와 비용 관점의 운영 노하우-나현길, 롯데이커머스 클라우드플랫폼 팀장::AWS 마이그레이션 A ...
롯데이커머스의 마이크로 서비스 아키텍처 진화와 비용 관점의 운영 노하우-나현길, 롯데이커머스 클라우드플랫폼 팀장::AWS 마이그레이션 A ...롯데이커머스의 마이크로 서비스 아키텍처 진화와 비용 관점의 운영 노하우-나현길, 롯데이커머스 클라우드플랫폼 팀장::AWS 마이그레이션 A ...
롯데이커머스의 마이크로 서비스 아키텍처 진화와 비용 관점의 운영 노하우-나현길, 롯데이커머스 클라우드플랫폼 팀장::AWS 마이그레이션 A ...
 
데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...
데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...
데브옵스 엔지니어를 위한 신규 운영 서비스 - 김필중, AWS 개발 전문 솔루션즈 아키텍트 / 김현민, 메가존클라우드 솔루션즈 아키텍트 :...
 
Well Architected Framework - Data
Well Architected Framework - Data Well Architected Framework - Data
Well Architected Framework - Data
 
AWS Summit Seoul 2023 | Amazon EKS 데이터 전송 비용 절감 및 카오스 엔지니어링 적용 사례
AWS Summit Seoul 2023 | Amazon EKS 데이터 전송 비용 절감 및 카오스 엔지니어링 적용 사례AWS Summit Seoul 2023 | Amazon EKS 데이터 전송 비용 절감 및 카오스 엔지니어링 적용 사례
AWS Summit Seoul 2023 | Amazon EKS 데이터 전송 비용 절감 및 카오스 엔지니어링 적용 사례
 
Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링
Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링
Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링
 
AWS Summit Seoul 2023 | 천만 사용자를 위한 카카오의 AWS Native 글로벌 채팅 서비스
AWS Summit Seoul 2023 | 천만 사용자를 위한 카카오의 AWS Native 글로벌 채팅 서비스AWS Summit Seoul 2023 | 천만 사용자를 위한 카카오의 AWS Native 글로벌 채팅 서비스
AWS Summit Seoul 2023 | 천만 사용자를 위한 카카오의 AWS Native 글로벌 채팅 서비스
 
Microservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SREMicroservices Docker Kubernetes Istio Kanban DevOps SRE
Microservices Docker Kubernetes Istio Kanban DevOps SRE
 
Jenkins를 활용한 Openshift CI/CD 구성
Jenkins를 활용한 Openshift CI/CD 구성 Jenkins를 활용한 Openshift CI/CD 구성
Jenkins를 활용한 Openshift CI/CD 구성
 
AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...
AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...
AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...
 

Similar to CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf

apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays
 
Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...Kal BO
 
Application Modernization with PKS / Kubernetes
Application Modernization with PKS / KubernetesApplication Modernization with PKS / Kubernetes
Application Modernization with PKS / KubernetesPaul Czarkowski
 
MongoDB World 2018: Managing a Mission Critical eCommerce Application on Mong...
MongoDB World 2018: Managing a Mission Critical eCommerce Application on Mong...MongoDB World 2018: Managing a Mission Critical eCommerce Application on Mong...
MongoDB World 2018: Managing a Mission Critical eCommerce Application on Mong...MongoDB
 
Data Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI ComplianceData Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI ComplianceDavid Walker
 
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...DataWorks Summit
 
Monitoring and Securing Active Directory Government Webinar for the US Army
Monitoring and Securing Active Directory Government Webinar for the US ArmyMonitoring and Securing Active Directory Government Webinar for the US Army
Monitoring and Securing Active Directory Government Webinar for the US ArmySolarWinds
 
Open Sourcing GemFire - Apache Geode
Open Sourcing GemFire - Apache GeodeOpen Sourcing GemFire - Apache Geode
Open Sourcing GemFire - Apache GeodeApache Geode
 
An Introduction to Apache Geode (incubating)
An Introduction to Apache Geode (incubating)An Introduction to Apache Geode (incubating)
An Introduction to Apache Geode (incubating)Anthony Baker
 
ArchivePod a legacy data solution when migrating to the #CLOUD
ArchivePod a legacy data solution when migrating to the #CLOUDArchivePod a legacy data solution when migrating to the #CLOUD
ArchivePod a legacy data solution when migrating to the #CLOUDGaret Keller
 
The Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldThe Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldMaria Colgan
 
Rapid_Recovery-T75-v2204j.pdf
Rapid_Recovery-T75-v2204j.pdfRapid_Recovery-T75-v2204j.pdf
Rapid_Recovery-T75-v2204j.pdfTony Pearson
 
Webinar | Aligning GDPR Requirements with Today's Hybrid Cloud Realities
Webinar | Aligning GDPR Requirements with Today's Hybrid Cloud RealitiesWebinar | Aligning GDPR Requirements with Today's Hybrid Cloud Realities
Webinar | Aligning GDPR Requirements with Today's Hybrid Cloud RealitiesDataStax
 
Veritas + MongoDB
Veritas + MongoDBVeritas + MongoDB
Veritas + MongoDBMongoDB
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsYusuf Hadiwinata Sutandar
 
Cisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assuranceCisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assuranceCisco Canada
 
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Canada
 
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Canada
 
Should healthcare abandon the cloud final
Should healthcare abandon the cloud finalShould healthcare abandon the cloud final
Should healthcare abandon the cloud finalsapenov
 
01-Chapter 01-Introduction to CASB and Netskope.pptx
01-Chapter 01-Introduction to CASB and Netskope.pptx01-Chapter 01-Introduction to CASB and Netskope.pptx
01-Chapter 01-Introduction to CASB and Netskope.pptxssuser4c54af
 

Similar to CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf (20)

apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
 
Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...
 
Application Modernization with PKS / Kubernetes
Application Modernization with PKS / KubernetesApplication Modernization with PKS / Kubernetes
Application Modernization with PKS / Kubernetes
 
MongoDB World 2018: Managing a Mission Critical eCommerce Application on Mong...
MongoDB World 2018: Managing a Mission Critical eCommerce Application on Mong...MongoDB World 2018: Managing a Mission Critical eCommerce Application on Mong...
MongoDB World 2018: Managing a Mission Critical eCommerce Application on Mong...
 
Data Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI ComplianceData Works Berlin 2018 - Worldpay - PCI Compliance
Data Works Berlin 2018 - Worldpay - PCI Compliance
 
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...
 
Monitoring and Securing Active Directory Government Webinar for the US Army
Monitoring and Securing Active Directory Government Webinar for the US ArmyMonitoring and Securing Active Directory Government Webinar for the US Army
Monitoring and Securing Active Directory Government Webinar for the US Army
 
Open Sourcing GemFire - Apache Geode
Open Sourcing GemFire - Apache GeodeOpen Sourcing GemFire - Apache Geode
Open Sourcing GemFire - Apache Geode
 
An Introduction to Apache Geode (incubating)
An Introduction to Apache Geode (incubating)An Introduction to Apache Geode (incubating)
An Introduction to Apache Geode (incubating)
 
ArchivePod a legacy data solution when migrating to the #CLOUD
ArchivePod a legacy data solution when migrating to the #CLOUDArchivePod a legacy data solution when migrating to the #CLOUD
ArchivePod a legacy data solution when migrating to the #CLOUD
 
The Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldThe Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous World
 
Rapid_Recovery-T75-v2204j.pdf
Rapid_Recovery-T75-v2204j.pdfRapid_Recovery-T75-v2204j.pdf
Rapid_Recovery-T75-v2204j.pdf
 
Webinar | Aligning GDPR Requirements with Today's Hybrid Cloud Realities
Webinar | Aligning GDPR Requirements with Today's Hybrid Cloud RealitiesWebinar | Aligning GDPR Requirements with Today's Hybrid Cloud Realities
Webinar | Aligning GDPR Requirements with Today's Hybrid Cloud Realities
 
Veritas + MongoDB
Veritas + MongoDBVeritas + MongoDB
Veritas + MongoDB
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital Forensics
 
Cisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assuranceCisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assurance
 
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
 
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
 
Should healthcare abandon the cloud final
Should healthcare abandon the cloud finalShould healthcare abandon the cloud final
Should healthcare abandon the cloud final
 
01-Chapter 01-Introduction to CASB and Netskope.pptx
01-Chapter 01-Introduction to CASB and Netskope.pptx01-Chapter 01-Introduction to CASB and Netskope.pptx
01-Chapter 01-Introduction to CASB and Netskope.pptx
 

More from LibbySchulze

Running distributed tests with k6.pdf
Running distributed tests with k6.pdfRunning distributed tests with k6.pdf
Running distributed tests with k6.pdfLibbySchulze
 
Extending Kubectl.pptx
Extending Kubectl.pptxExtending Kubectl.pptx
Extending Kubectl.pptxLibbySchulze
 
Enhancing Data Protection Workflows with Kanister And Argo Workflows
Enhancing Data Protection Workflows with Kanister And Argo WorkflowsEnhancing Data Protection Workflows with Kanister And Argo Workflows
Enhancing Data Protection Workflows with Kanister And Argo WorkflowsLibbySchulze
 
Fallacies in Platform Engineering.pdf
Fallacies in Platform Engineering.pdfFallacies in Platform Engineering.pdf
Fallacies in Platform Engineering.pdfLibbySchulze
 
Intro to Fluvio.pptx.pdf
Intro to Fluvio.pptx.pdfIntro to Fluvio.pptx.pdf
Intro to Fluvio.pptx.pdfLibbySchulze
 
Enhance your Kafka Infrastructure with Fluvio.pptx
Enhance your Kafka Infrastructure with Fluvio.pptxEnhance your Kafka Infrastructure with Fluvio.pptx
Enhance your Kafka Infrastructure with Fluvio.pptxLibbySchulze
 
CNCF On-Demand Webinar_ LitmusChaos Project Updates.pdf
CNCF On-Demand Webinar_ LitmusChaos Project Updates.pdfCNCF On-Demand Webinar_ LitmusChaos Project Updates.pdf
CNCF On-Demand Webinar_ LitmusChaos Project Updates.pdfLibbySchulze
 
Oh The Places You'll Sign.pdf
Oh The Places You'll Sign.pdfOh The Places You'll Sign.pdf
Oh The Places You'll Sign.pdfLibbySchulze
 
Rancher MasterClass - Avoiding-configuration-drift.pptx
Rancher MasterClass - Avoiding-configuration-drift.pptxRancher MasterClass - Avoiding-configuration-drift.pptx
Rancher MasterClass - Avoiding-configuration-drift.pptxLibbySchulze
 
vFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptx
vFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptxvFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptx
vFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptxLibbySchulze
 
CNCF Live Webinar: Low Footprint Java Containers with GraalVM
CNCF Live Webinar: Low Footprint Java Containers with GraalVMCNCF Live Webinar: Low Footprint Java Containers with GraalVM
CNCF Live Webinar: Low Footprint Java Containers with GraalVMLibbySchulze
 
EnRoute-OPA-Integration.pdf
EnRoute-OPA-Integration.pdfEnRoute-OPA-Integration.pdf
EnRoute-OPA-Integration.pdfLibbySchulze
 
AirGap_zusammen_neu.pdf
AirGap_zusammen_neu.pdfAirGap_zusammen_neu.pdf
AirGap_zusammen_neu.pdfLibbySchulze
 
Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...
Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...
Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...LibbySchulze
 
OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...
OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...
OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...LibbySchulze
 
CNCF_ A step to step guide to platforming your delivery setup.pdf
CNCF_ A step to step guide to platforming your delivery setup.pdfCNCF_ A step to step guide to platforming your delivery setup.pdf
CNCF_ A step to step guide to platforming your delivery setup.pdfLibbySchulze
 
Securing Windows workloads.pdf
Securing Windows workloads.pdfSecuring Windows workloads.pdf
Securing Windows workloads.pdfLibbySchulze
 
Securing Windows workloads.pdf
Securing Windows workloads.pdfSecuring Windows workloads.pdf
Securing Windows workloads.pdfLibbySchulze
 
Advancements in Kubernetes Workload Identity for Azure
Advancements in Kubernetes Workload Identity for AzureAdvancements in Kubernetes Workload Identity for Azure
Advancements in Kubernetes Workload Identity for AzureLibbySchulze
 
Containerized IDEs.pdf
Containerized IDEs.pdfContainerized IDEs.pdf
Containerized IDEs.pdfLibbySchulze
 

More from LibbySchulze (20)

Running distributed tests with k6.pdf
Running distributed tests with k6.pdfRunning distributed tests with k6.pdf
Running distributed tests with k6.pdf
 
Extending Kubectl.pptx
Extending Kubectl.pptxExtending Kubectl.pptx
Extending Kubectl.pptx
 
Enhancing Data Protection Workflows with Kanister And Argo Workflows
Enhancing Data Protection Workflows with Kanister And Argo WorkflowsEnhancing Data Protection Workflows with Kanister And Argo Workflows
Enhancing Data Protection Workflows with Kanister And Argo Workflows
 
Fallacies in Platform Engineering.pdf
Fallacies in Platform Engineering.pdfFallacies in Platform Engineering.pdf
Fallacies in Platform Engineering.pdf
 
Intro to Fluvio.pptx.pdf
Intro to Fluvio.pptx.pdfIntro to Fluvio.pptx.pdf
Intro to Fluvio.pptx.pdf
 
Enhance your Kafka Infrastructure with Fluvio.pptx
Enhance your Kafka Infrastructure with Fluvio.pptxEnhance your Kafka Infrastructure with Fluvio.pptx
Enhance your Kafka Infrastructure with Fluvio.pptx
 
CNCF On-Demand Webinar_ LitmusChaos Project Updates.pdf
CNCF On-Demand Webinar_ LitmusChaos Project Updates.pdfCNCF On-Demand Webinar_ LitmusChaos Project Updates.pdf
CNCF On-Demand Webinar_ LitmusChaos Project Updates.pdf
 
Oh The Places You'll Sign.pdf
Oh The Places You'll Sign.pdfOh The Places You'll Sign.pdf
Oh The Places You'll Sign.pdf
 
Rancher MasterClass - Avoiding-configuration-drift.pptx
Rancher MasterClass - Avoiding-configuration-drift.pptxRancher MasterClass - Avoiding-configuration-drift.pptx
Rancher MasterClass - Avoiding-configuration-drift.pptx
 
vFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptx
vFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptxvFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptx
vFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptx
 
CNCF Live Webinar: Low Footprint Java Containers with GraalVM
CNCF Live Webinar: Low Footprint Java Containers with GraalVMCNCF Live Webinar: Low Footprint Java Containers with GraalVM
CNCF Live Webinar: Low Footprint Java Containers with GraalVM
 
EnRoute-OPA-Integration.pdf
EnRoute-OPA-Integration.pdfEnRoute-OPA-Integration.pdf
EnRoute-OPA-Integration.pdf
 
AirGap_zusammen_neu.pdf
AirGap_zusammen_neu.pdfAirGap_zusammen_neu.pdf
AirGap_zusammen_neu.pdf
 
Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...
Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...
Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...
 
OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...
OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...
OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...
 
CNCF_ A step to step guide to platforming your delivery setup.pdf
CNCF_ A step to step guide to platforming your delivery setup.pdfCNCF_ A step to step guide to platforming your delivery setup.pdf
CNCF_ A step to step guide to platforming your delivery setup.pdf
 
Securing Windows workloads.pdf
Securing Windows workloads.pdfSecuring Windows workloads.pdf
Securing Windows workloads.pdf
 
Securing Windows workloads.pdf
Securing Windows workloads.pdfSecuring Windows workloads.pdf
Securing Windows workloads.pdf
 
Advancements in Kubernetes Workload Identity for Azure
Advancements in Kubernetes Workload Identity for AzureAdvancements in Kubernetes Workload Identity for Azure
Advancements in Kubernetes Workload Identity for Azure
 
Containerized IDEs.pdf
Containerized IDEs.pdfContainerized IDEs.pdf
Containerized IDEs.pdf
 

Recently uploaded

『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 

Recently uploaded (17)

『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 

CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf

  • 1. Joey Lei Principal Product Manager Kasten by Veeam Anders Eknert Developer Advocate Styra Data Protection Guardrails w/ Open Policy Agent (OPA)
  • 2. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Joey Lei • Software Engineering and Product • Former Dell EMC Data Protection • Former Managed Services Portfolio Director Anders Eknert • Software Engineering and Advocacy • Long background in the identity space • Worked with OPA both as an end-user and maintainer About the Speakers Joey Anders
  • 3. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. What is Policy? Policy as Code? Policy is a set of rules • Organizational rules • Permissions for app authorization • Kubernetes admission control • Infrastructure • Builds and deployment • Data filtering • Much more! Policy as Code Treating policy as code provides all the benefits of treating anything as code • Collaboration • Peer review • Testing • Static analysis, linters • No more PDF documents! Decoupling policy from application and business logic means policy can change independently of application life cycle. Policy may be shared across teams and functions. Clear separation of responsibilities.
  • 4. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Open Policy Agent (OPA) Open Source General Purpose Policy Engine • As of February 2021, Graduated CNCF project • Unified toolset and framework for policy across the stack • Decouples policy from application logic • Separates policy decision from enforcement • Policies written in declarative language Rego
  • 5. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Open Policy Agent — Community • 250+ contributors • 70+ integrations • “Used by” 800+ GitHub projects • 6600+ Github Stars • 5800+ Slack users • 130+ million downloads • Ecosystem including Conftest, Gatekeeper, VS Code and IntelliJ editor plugins.
  • 6. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Open Policy Agent
  • 7. How Does it Work? Policy Decision Model Rego
  • 8. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. OPA — Policy Decision Model Linux PAM Service OPA Policy (Rego) Data (JSON) Request Policy Decision Policy Query Input can be ANY JSON value Output can be ANY JSON value
  • 9. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. OPA — Rego • Rego — declarative high-level policy language • Allows you to describe policy across the cloud-native stack • Policy consists of any number of rules • Rules commonly return true/false but may return any type available in JSON, like strings, lists and objects • Policy testing made easy with provided unit test framework • Well documented! https://www.openpolicyagent.org/docs/latest • Try it out! https://play.openpolicyagent.org/
  • 12. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Risk Management Meets Data Management Confidentiality aims to protect data from unauthorized access and misuse (confidentiality breach results in exploitation of customers) Integrity aims to protect data from alteration, preserving accuracy and completeness (integrity breach results in loss in trust, churn) Availability aims to enable timely access to data for authorized users when they need it (unavailability results in lost sales/revenue) Understanding C-I-A Helps Identify Opportunities for Minimizing Financial Impact
  • 13. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. 81%1 of a popular Infrastructure as Code platform’s community provided modules fail to enable backup and recovery properly. Data Protection Policy Guardrails 1. Source: Bridgecrew by Prisma Cloud (PANW) Data Protection Resources (CRD’s) Role Based Access Control (RBAC) Grants API Access Policy Guardrails Policy as Code
  • 14. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Create Branch Main Branch • Commit Prod IaC • Commit Data Protection IaC • Get Feedback • Data Protection Guardrails Enforcement Merge Branch Pull Request </> Data Protection Guardrails – GitOps Workflow
  • 15. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Git as a source of truth • Best suited for app developers • Avoid misconfigurations in IaC • Deploy consistently every time Commit-time feedback • Check resources against policies in pull requests • Integrate into any CI/CD for instant developer feedback Data Protection Guardrails – GitOps CI Testing ✔ 3-2-1 Backup ✔ 7YR Retention ✔ Hourly RPO companygithub / prod-dp-spec / backup-policy.yaml apiVersion: policy.backup.io/v1alpha1 kind: Policy metadata: name: backup-policy spec: retention: years: [7] actions: - action: backup frequency: ‘@hourly' - action: backup-copy companygithub / prod-dp-spec / backup-target.yaml apiVersion: policy.backup.io/v1alpha1 kind: Profile metadata: name: backup-target namespace: mission-critical-app location: objectstore: #object-lock: true ❌ Immutability pseudocode
  • 16. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Deploy-time feedback • Best suited for CloudOps or Data Protection Specialists • Instant feedback during deployment of apps/infra Data Protection Guardrails – Admission Control Admission Control Authorization Authentication K8s API Call kind: StatefulSet metadata: name: critical-app namespace: prod labels: dataprotection: gold-policy
  • 18. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Data Protection Policy Primer Context: • Security access policies mitigate risk of unauthorized access (enforces confidentiality) • Data protection and availability policies mitigate risk of data loss and service outages (enforces availability) A standard data protection policy defines: • The amount of acceptable data loss (Recovery Point Objective or RPO) • The amount of acceptable downtime (Recovery Time Objective or RTO)
  • 19. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Recovery Objectives (RPO and RTO) Recovery Point Objective • Less than 24H for General Purpose • Less than 15 minutes or <= 1 hour for Mission Critical Target Resource Types: • Policy • Schedule • CronJob Recovery Time Objective • <= Less than 8-12 hours for General Purpose • <=Within 1-3 hours for Mission Critical Target Resource Types: • Action • Restore • Job apiVersion: backup.io/v1alpha1 kind: Policy metadata: name: backup-policy spec: retention: months: [3] actions: - action: backup schedule: ‘@hourly’ - action: backup-copy pseudocode allow { input.request.object.kind == "Policy" input.request.kind.group == "backup.io" has_backup_policy } has_backup_policy { spec := input.request.object.spec.actions some action in action.schedule == "@hourly" }
  • 20. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Ransomware Protection Air Gap or Immutability • Sending backup data to storage targets configured with either S3 ”Object Lock” or ”Air Gap” Target Resource Types: • BackupTarget • PersistentVolumeClaim • Target • LocationProfile • Location apiVersion: backup.io/v1alpha1 kind: BackupTarget metadata: name: aws-west-2-target spec: cloudprovider: aws region: us-west-2 bucket-name: storage-bucket advanced: object-lock: true allow { spec := input.request.spec spec.cloudprovider == "aws" spec.advanced["object-lock"] == true } allow { spec := input.request.spec spec.cloudprovider == "aws" spec.advanced["air-gap"] == true }
  • 21. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Retention Objectives Federal Information Security Management Act (FISMA): 3 Years National Energy Commission (NERC) – 3 to 6 Years Basel II Capital Accord – 3 to 7 Years Sarbanes-Oxley Act of 2002 (SOX) – 7 Years Health Insurance Portability and Accountability Act (HIPAA) - 6 Years National Industrial Security Program Operating Manual (NISPOM) – 6 to 12 Months Payment Card Industry Data Security Standard (PCI-DSS) – Variable Target Resource Types: • Policy • Schedule • CronJob apiVersion: backup.io/v1alpha1 kind: Policy metadata: name: backup-policy spec: retention: years: [7] actions: - action: backup schedule: ‘@daily’ - action: backup-copy OPA code here
  • 22. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. 3-2-1 Backup The Rule of “3-2-1” • 3 Copies of Data • 2 Copies on Different Storage Mediums • 1 ”Offsite” (or in cloud) The Rule of “3-2-1-1-0” • 3 Copies of Data • 2 Copies on Different Storage Mediums • 1 ”Offsite” (or in cloud) • 1 Air Gapped or Immutable • 0 Recovery Verification Errors apiVersion: backup.io/v1alpha1 kind: Policy metadata: name: backup-policy spec: retention: years: [7] actions: - action: backup schedule: ‘@daily’ - action: backup-copy allow { input.request.object.kind == "Policy" spec := input.request.object.spec actions := [action | action := spec.actions[_].action ] "backup" in actions "backup-copy" in actions }
  • 23. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners. Exfiltration Protection “Living off the Land” Attack • Use of the data protection “restore” functionality to exfiltrate data Whitelist Restore Destinations • Namespaces • BackupTargets • Clusters NOTE: Does not protect all ways to exfiltrate data! apiVersion: restore.io/v1alpha1 kind: RestoreJob metadata: name: restore-job spec: target: namespace: prod-copy actions: - action: restore schedule: ‘now’ OPA code here
  • 24. Demo Data Protection Policy Guardrails in CI/CD