The document discusses a presentation by Joey Lei and Anders Eknert on data protection guardrails using Open Policy Agent (OPA). It provides background on the speakers and an overview of OPA, including how it works, the Rego policy language, and OPA's open source community. It then discusses how data protection policies can be enforced as code using OPA to provide guardrails for infrastructure-as-code deployments and prevent misconfigurations that could compromise availability, integrity or confidentiality of data. Examples of policy checks for recovery objectives, retention, backup strategies and exfiltration protection are provided.

1. Joey Lei
Principal Product Manager
Kasten by Veeam
Anders Eknert
Developer Advocate
Styra
Data Protection Guardrails w/
Open Policy Agent (OPA)

2. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners.
Joey Lei
• Software Engineering and Product
• Former Dell EMC Data Protection
• Former Managed Services Portfolio Director
Anders Eknert
• Software Engineering and Advocacy
• Long background in the identity space
• Worked with OPA both as an end-user and maintainer
About the Speakers
Joey Anders

3. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners.
What is Policy? Policy as Code?
Policy is a set of rules
• Organizational rules
• Permissions for app authorization
• Kubernetes admission control
• Infrastructure
• Builds and deployment
• Data filtering
• Much more!
Policy as Code
Treating policy as code provides all the
benefits of treating anything as code
• Collaboration
• Peer review
• Testing
• Static analysis, linters
• No more PDF documents!
Decoupling policy from application and business logic means policy can change independently of application life cycle.
Policy may be shared across teams and functions. Clear separation of responsibilities.

4. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners.
Open Policy Agent (OPA)
Open Source General Purpose Policy Engine
• As of February 2021, Graduated CNCF project
• Unified toolset and framework for policy across the stack
• Decouples policy from application logic
• Separates policy decision from enforcement
• Policies written in declarative language Rego

5. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners.
Open Policy Agent — Community
• 250+ contributors
• 70+ integrations
• “Used by” 800+ GitHub projects
• 6600+ Github Stars
• 5800+ Slack users
• 130+ million downloads
• Ecosystem including Conftest,
Gatekeeper, VS Code and IntelliJ
editor plugins.

6. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners.
Open Policy Agent

7. How Does it Work?
Policy Decision Model
Rego

8. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners.
OPA — Policy Decision Model
Linux PAM
Service
OPA
Policy
(Rego)
Data
(JSON)
Request
Policy
Decision
Policy
Query
Input can be ANY JSON value Output can be ANY JSON value

9. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners.
OPA — Rego
• Rego — declarative high-level policy language
• Allows you to describe policy across the cloud-native stack
• Policy consists of any number of rules
• Rules commonly return true/false but may return any type
available in JSON, like strings, lists and objects
• Policy testing made easy with provided unit test framework
• Well documented! https://www.openpolicyagent.org/docs/latest
• Try it out! https://play.openpolicyagent.org/

10. Demo
Policy Authoring with Rego

11. Data Protection Guardrails with OPA

12. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners.
Risk Management Meets Data Management
Confidentiality aims to protect data from
unauthorized access and misuse
(confidentiality breach results in exploitation of customers)
Integrity aims to protect data from alteration,
preserving accuracy and completeness
(integrity breach results in loss in trust, churn)
Availability aims to enable timely access to
data for authorized users when they need it
(unavailability results in lost sales/revenue)
Understanding C-I-A Helps Identify Opportunities for Minimizing Financial Impact

13. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners.
81%1
of a popular Infrastructure as Code platform’s community
provided modules fail to enable backup and recovery properly.
Data Protection Policy Guardrails
1. Source: Bridgecrew by Prisma Cloud (PANW)
Data Protection
Resources
(CRD’s)
Role Based
Access Control
(RBAC)
Grants API
Access
Policy
Guardrails
Policy as Code

14. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners.
Create Branch
Main Branch
• Commit Prod IaC
• Commit Data
Protection IaC
• Get Feedback
• Data Protection Guardrails
Enforcement
Merge Branch
Pull
Request
</>
Data Protection Guardrails – GitOps Workflow

15. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners.
Git as a source of truth
• Best suited for app developers
• Avoid misconfigurations in IaC
• Deploy consistently every time
Commit-time feedback
• Check resources against policies in pull
requests
• Integrate into any CI/CD for instant
developer feedback
Data Protection Guardrails – GitOps CI Testing
✔ 3-2-1 Backup
✔ 7YR Retention
✔ Hourly RPO
companygithub / prod-dp-spec / backup-policy.yaml
apiVersion: policy.backup.io/v1alpha1
kind: Policy
metadata:
name: backup-policy
spec:
retention:
years: [7]
actions:
- action: backup
frequency: ‘@hourly'
- action: backup-copy
companygithub / prod-dp-spec / backup-target.yaml
apiVersion: policy.backup.io/v1alpha1
kind: Profile
metadata:
name: backup-target
namespace: mission-critical-app
location:
objectstore:
#object-lock: true
❌ Immutability
pseudocode

16. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners.
Deploy-time feedback
• Best suited for CloudOps or Data Protection Specialists
• Instant feedback during deployment of apps/infra
Data Protection Guardrails – Admission Control
Admission Control
Authorization
Authentication
K8s API Call
kind: StatefulSet
metadata:
name: critical-app
namespace: prod
labels:
dataprotection: gold-policy

17. Recommended Policies

18. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners.
Data Protection Policy Primer
Context:
• Security access policies mitigate risk of unauthorized access (enforces confidentiality)
• Data protection and availability policies mitigate risk of data loss and service outages (enforces availability)
A standard data protection policy defines:
• The amount of acceptable data loss (Recovery Point Objective or RPO)
• The amount of acceptable downtime (Recovery Time Objective or RTO)

19. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners.
Recovery Objectives (RPO and RTO)
Recovery Point Objective
• Less than 24H for General Purpose
• Less than 15 minutes or <= 1 hour for Mission Critical
Target Resource Types:
• Policy
• Schedule
• CronJob
Recovery Time Objective
• <= Less than 8-12 hours for General Purpose
• <=Within 1-3 hours for Mission Critical
Target Resource Types:
• Action
• Restore
• Job
apiVersion: backup.io/v1alpha1
kind: Policy
metadata:
name: backup-policy
spec:
retention:
months: [3]
actions:
- action: backup
schedule: ‘@hourly’
- action: backup-copy
pseudocode
allow {
input.request.object.kind == "Policy"
input.request.kind.group == "backup.io"
has_backup_policy
}
has_backup_policy {
spec := input.request.object.spec.actions
some action in
action.schedule == "@hourly"
}

20. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners.
Ransomware Protection
Air Gap or Immutability
• Sending backup data to storage targets configured
with either S3 ”Object Lock” or ”Air Gap”
Target Resource Types:
• BackupTarget
• PersistentVolumeClaim
• Target
• LocationProfile
• Location
apiVersion: backup.io/v1alpha1
kind: BackupTarget
metadata:
name: aws-west-2-target
spec:
cloudprovider: aws
region: us-west-2
bucket-name: storage-bucket
advanced:
object-lock: true
allow {
spec := input.request.spec
spec.cloudprovider == "aws"
spec.advanced["object-lock"] == true
}
allow {
spec := input.request.spec
spec.cloudprovider == "aws"
spec.advanced["air-gap"] == true
}

21. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners.
Retention Objectives
Federal Information Security Management Act (FISMA): 3
Years
National Energy Commission (NERC) – 3 to 6 Years
Basel II Capital Accord – 3 to 7 Years
Sarbanes-Oxley Act of 2002 (SOX) – 7 Years
Health Insurance Portability and Accountability Act (HIPAA)
- 6 Years
National Industrial Security Program
Operating Manual (NISPOM) – 6 to 12 Months
Payment Card Industry Data Security Standard (PCI-DSS) –
Variable
Target Resource Types:
• Policy
• Schedule
• CronJob
apiVersion: backup.io/v1alpha1
kind: Policy
metadata:
name: backup-policy
spec:
retention:
years: [7]
actions:
- action: backup
schedule: ‘@daily’
- action: backup-copy
OPA code here

22. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners.
3-2-1 Backup
The Rule of “3-2-1”
• 3 Copies of Data
• 2 Copies on Different Storage Mediums
• 1 ”Offsite” (or in cloud)
The Rule of “3-2-1-1-0”
• 3 Copies of Data
• 2 Copies on Different Storage Mediums
• 1 ”Offsite” (or in cloud)
• 1 Air Gapped or Immutable
• 0 Recovery Verification Errors
apiVersion: backup.io/v1alpha1
kind: Policy
metadata:
name: backup-policy
spec:
retention:
years: [7]
actions:
- action: backup
schedule: ‘@daily’
- action: backup-copy
allow {
input.request.object.kind == "Policy"
spec := input.request.object.spec
actions := [action |
action := spec.actions[_].action
]
"backup" in actions
"backup-copy" in actions
}

23. © 2022 Kasten by Veeam. All rights reserved. All trademarks are the property of their respective owners.
Exfiltration Protection
“Living off the Land” Attack
• Use of the data protection “restore” functionality
to exfiltrate data
Whitelist Restore Destinations
• Namespaces
• BackupTargets
• Clusters
NOTE: Does not protect all ways to exfiltrate data!
apiVersion: restore.io/v1alpha1
kind: RestoreJob
metadata:
name: restore-job
spec:
target:
namespace: prod-copy
actions:
- action: restore
schedule: ‘now’
OPA code here

24. Demo
Data Protection Policy Guardrails in CI/CD

25. Questions?

26. Thank You