Presenters

Source

From Paperwork Nightmare to Automated Compliance: Unlocking Security with OSCAL 🚀

Tired of drowning in compliance documentation? Feeling the pain of manual checks and fragmented data that make maintaining a strong security posture feel like an impossible mission? You’re not alone! Jen Power and Hannah Brazwell from Red Hat recently took the stage to unveil a revolutionary approach to policy and compliance automation, and it’s all powered by OSCAL. Get ready to ditch the spreadsheets and embrace a future of traceable, automated security. ✨

The Problem: The Compliance Quicksand ⏳

Let’s face it, traditional compliance methods are often a “nightmare.” We’re talking about:

  • Fragmented Data Silos: Information scattered everywhere, making it impossible to get a clear picture.
  • Manual, Checklist-Based Approaches: Time-consuming, error-prone, and frankly, a recipe for disaster.
  • Lack of Unified Security Posture: Trying to juggle multiple compliance frameworks in complex, cloud-native environments is a Herculean task.
  • Inflexible GRC Tools: Monolithic, proprietary tools create vendor lock-in and struggle to keep pace with evolving regulations like GDPR and the EU Cyber Resilience Act.

This is where the traditional GRC world often falls short, hindering our ability to integrate with modern automation technologies and adapt to the ever-changing regulatory landscape.

The Solution: The OSCAL “Traceable Path” 🛤️

Jen and Hannah introduced a game-changing methodology: the “traceable path,” which begins and ends with OSCAL (Open Security Controls Assessment Language). OSCAL isn’t just another standard; it’s a set of machine-readable formats (YAML, JSON, XML) designed to provide full visibility into the lifecycle of security controls. It achieves this through a brilliant layered approach:

  • Control Layer: This is where the high-level guidance and regulatory requirements live. Think of it as the what.
  • Implementation Layer: Here, we detail how these controls are actually implemented within your specific systems.
  • Assessment Layer: This layer defines how you’ll check if those implementations are working, including assessment plans and the results of those assessments.

Key Technologies Powering the Path 🛠️

This “traceable path” isn’t built on a single tool, but a powerful integration of open-source projects:

  • OSCAL Compass (CNCF Sandbox Project): This is your workflow automation wizard! It translates high-level OSCAL data into the lower-level policy data your systems understand. 💡
  • Compliance to Policy (C2P) Project: A vital sub-project of OSCAL Compass, C2P transforms OSCAL assessment plans into executable policy-as-code. Imagine turning your compliance requirements into actual, runnable code! 👨‍💻
  • Open Policy Agent (OPA): The enforcement engine! OPA applies granular policies across your application lifecycle, acting as a critical deployment gate in your CI pipelines. 🦾
  • Open Telemetry Collector: This is your feedback loop’s best friend. It captures policy decisions (logs, metrics, traces) from policy engines and maps them back to your compliance data, closing the loop and providing invaluable evidence. 📡

The “Traceable Path” Workflow in Action 🎬

So, how does this all come together? It’s a beautiful, continuous feedback loop:

  1. Define Governance Rules: Start by translating your organizational governance rules (based on compliance requirements) into a machine-readable format.
  2. Generate Policy-as-Code: The C2P tool takes these rules and generates policy-as-code, like OPA policy definitions.
  3. Measure Control Effectiveness: This policy-as-code actively measures the effectiveness of your controls.
  4. Enforce at Runtime: When deployed, these policies render decisions and enforce actions in real-time.
  5. Capture Evidence: These enforcement actions become evidence-generating events. The Open Telemetry Collector, configured to know what evidence is needed (what happened, when, and how it fits your framework), captures and exports this information to a centralized store.
  6. Automate Audits: During audits, the C2P CLI leverages this collected evidence to assess your organization’s standing against external compliance requirements, providing actionable insights into implemented and un-implemented controls.
  7. Continuous Improvement: This entire process feeds back into your initial rules, creating a cycle of continuous improvement.

A Real-World Scenario: Separation of Duties & Secure Development 🎯

The speakers illustrated this with a compelling scenario. They began with compliance requirements for separation of duties and secure development processes. These minimum requirements were then “right-sized” for their organization by defining technology-specific controls and organizational policies. The assessment procedure detailed how to technically verify control implementation.

A crucial element here is the use of the Jamara logical model (an OpenSSF project). While not OSCAL itself, Jamara is used to map to OSCAL, enabling seamless data exchange with tools and third parties. The assessment requirement ID plays a vital role in traceability, linking controls to compliance frameworks and assessment procedures to automated checks and policy outcomes.

Human vs. Machine Policy: A Clear Distinction 🤖

It’s important to distinguish between human-readable “capital P” Policy (the overarching governance) and automated “lowercase p” policy-as-code. The workflow elegantly bridges this gap:

  1. Exporting to an OSCAL assessment plan.
  2. The C2P CLI ingests this plan, determining necessary plugins, in-scope rules, and tuning parameters.
  3. This information is passed to the OPA Rego plugin, creating an OPA policy bundle.
  4. This bundle is then pushed to a container registry as an OCI artifact, ready for deployment.

Demonstrating Traceability: From Code to Compliance 🌐

The speakers showcased how traceability works in practice. A specific OSCAL assessment plan (e.g., for GitHub branch protection) can be directly linked to its corresponding Rego policy definition. The same identifier appears in both documents and in the resulting policy outcome. This allows for tracing operational failures captured by the Open Telemetry Collector all the way back to the original governance rules and impacted compliance frameworks.

The Open Telemetry Collector, deployed in agent mode, instruments your policy or assessment tools, capturing crucial trace IDs, timestamps, and links back to the policies. It uses OTLP receivers and processors to dynamically add compliance attributes, and exporters like AWS S3 for long-term storage or Loki for near-term analysis.

Visualizing Control Effectiveness: Beyond Spreadsheets 📊

This integration paves the way for creating dynamic Grafana dashboards. These dashboards visualize the technical effectiveness of your controls, moving beyond static spreadsheets to structured, normalized information. You can establish baselines, develop control health metrics, define thresholds, and configure proactive alerting – all in real-time!

The Final Audit Artifact: Automated and Actionable 📄

For the final audit artifact, the assessment plan is fed into the C2P CLI. This CLI uses an OPA Loki plugin to query Loki for relevant logs as evidence. This interpreted evidence is then aggregated into an OSCAL assessment result, featuring normalized values that clearly mark compliance requirements as satisfied or not. And the best part? The relevant evidence, like specific logs, can be retrieved via API queries for auditors.

The ultimate goal isn’t just the artifact; it’s making its creation easy and automated through a policy-driven security program. You can explore real-world implementations in the open-source “OSCON OSCAL in Action” repository and the “ComplyTime” project on GitHub.

Looking Ahead: Identity Governance and Beyond 🚀

During the Q&A, the speakers touched on future directions. While their current focus is on securing source code repositories, identity governance is a clear area for future development. Regarding backward compatibility, they clarified that there isn’t a direct conversion for existing OPA policies into OSCAL. However, existing policies can be mapped to external standards, offering a path for integration.

This OSCAL-powered approach is a significant leap forward, transforming compliance from a burdensome chore into a strategic, automated advantage. It’s time to embrace the future of secure, compliant operations!

Appendix