00:00:00:00 - 00:00:03:10
So  yes  before
we start  let us introduce ourselves.

00:00:03:10 - 00:00:06:09
My name is Ian Miell.
I'm a partner at Container Solutions.

00:00:06:09 - 00:00:08:17
I'll tell you a little about who we are
next.

00:00:08:17 - 00:00:12:15
just briefly  the purpose of this talk
today is to  introduce

00:00:12:18 - 00:00:13:23
our compliance framework.

00:00:13:23 - 00:00:18:21
To potentially interested parties 
in order to  network around 

00:00:18:24 - 00:00:23:13
this open source project and gain
more insights from various people.

00:00:23:13 - 00:00:26:13
in the  regulated industries
that are interested in  OSCAL.

00:00:26:19 - 00:00:29:10
Chris 
do you want to introduce yourself? Yeah.

00:00:29:10 - 00:00:30:24
Happy to. Hi  everybody.

00:00:30:24 - 00:00:32:15
I'm Chris. Christiaan.

00:00:32:15 - 00:00:34:08
But just Chris is good.

00:00:34:08 - 00:00:36:20
I've been working with Ian
on the compliance framework for a while 

00:00:36:20 - 00:00:40:13
and  Chris is a principal engineer
at Container Solutions 

00:00:40:19 - 00:00:42:06
the company we work for.

00:00:42:06 - 00:00:46:02
And he’ll also be heckling me
and  adding points as I’m making them.

00:00:46:08 - 00:00:50:19
structure today is going to be 
overview of how we got here the compliance

00:00:50:19 - 00:00:55:04
framework is  then we'll do a little demo
and then do some questions and answers.

00:00:55:08 - 00:00:57:01
So who we are.

00:00:57:01 - 00:00:59:22
So Container Solutions is a consultancy.

00:00:59:22 - 00:01:03:13
We  based primarily in the UK 
but also in Europe as well

00:01:03:17 - 00:01:08:11
And we specialize in cloud
native migration  and architecture.

00:01:08:14 - 00:01:12:09
So we help companies
move to cloud native ways of working.

00:01:12:12 - 00:01:16:00
If you don't know  cloud native
doesn't simply mean using the cloud.

00:01:16:06 - 00:01:18:07
You can be cloud native and on prem.

00:01:18:07 - 00:01:22:21
You can be cloud native in your own
internal IaaS or pass  environment.

00:01:23:01 - 00:01:25:07
indeed 
many of our customers  are still on prem

00:01:25:07 - 00:01:26:09
because they tend to be

00:01:26:09 - 00:01:28:17
larger organizations
that haven't necessarily

00:01:28:17 - 00:01:30:20
moved to any of the major cloud providers.

00:01:30:20 - 00:01:34:08
We have  implemented
projects  that have been become standard

00:01:34:08 - 00:01:38:20
for Kubernetes  which is popular platform
for running applications.

00:01:38:22 - 00:01:42:19
And we also a book called Cloud Native
Transformation and various other books 

00:01:43:03 - 00:01:43:21
in this area.

00:01:43:21 - 00:01:46:21
So that's the context
from which we across OSCAL.

00:01:46:24 - 00:01:50:03
so I guess the point of this is to say
we're not  client specialists.

00:01:50:03 - 00:01:51:20
We're not control specialists.

00:01:51:20 - 00:01:54:18
We're not  security audit specialists.

00:01:54:18 - 00:01:56:07
So that's that's a little bit of context.

00:01:56:07 - 00:01:58:02
As a consultancy 
we're vendor independent 

00:01:58:02 - 00:02:01:06
so we don't really care which tools
and technologies our clients use.

00:02:01:06 - 00:02:03:10
We will work
with whatever they have chosen.

00:02:03:10 - 00:02:05:21
We will also help them decide
what to choose and so on.

00:02:05:21 - 00:02:07:18
as I've mentioned before  we've done
various

00:02:07:18 - 00:02:11:14
open source projects  significant
probably is the external secrets operator.

00:02:11:14 - 00:02:15:22
But we've also written a Java  operator
SDK for Kubernetes  which I see

00:02:15:22 - 00:02:19:23
we've got Red Hat people on the call 
which now Red Hat kindly took from us 

00:02:20:02 - 00:02:23:18
and now manage for us so we don't have to
maintain that anymore ourselves.

00:02:24:10 - 00:02:29:00
So in one slide  what's compliance
framework is  is an attempt

00:02:29:00 - 00:02:33:22
to apply the principles
of  cloud native AI or DevOps  continuous 

00:02:34:02 - 00:02:38:08
integration  continuous delivery 
bring these principles to compliance

00:02:38:08 - 00:02:39:07
and controls.

00:02:39:07 - 00:02:40:17
It's an open source project.

00:02:40:17 - 00:02:43:12
It's a work in progress. It's
definitely not a finished product.

00:02:43:12 - 00:02:45:20
We are working on it  actively.

00:02:45:20 - 00:02:48:17
are also 
using it with a couple of our clients.

00:02:48:17 - 00:02:52:03
Because we see more and more compliance
and control based

00:02:52:06 - 00:02:54:02
automation work coming down the pipe.

00:02:54:02 - 00:02:57:18
And we're looking for help partners 
owners  contributors  examples.

00:02:58:05 - 00:02:59:07
Complementary work.

00:02:59:07 - 00:03:02:18
Which we we're talking to  various people
in the community around as well.

00:03:02:20 - 00:03:03:17
how we got here?

00:03:03:17 - 00:03:08:22
So  were working with a major European
bank and a CISO at a major European bank.

00:03:08:22 - 00:03:10:15
Said to us during a call 

00:03:10:15 - 00:03:13:15
you know  we're doing controls 
tracking on  conference pages.

00:03:13:20 - 00:03:15:06
Surely there's a better way to do this?

00:03:15:06 - 00:03:17:05
This is all very manual and very  bespoke.

00:03:17:05 - 00:03:19:02
And one of our engineers
said  well  funny you should say that 

00:03:19:02 - 00:03:22:13
because we were thinking
about writing a tool help with this.

00:03:22:15 - 00:03:24:10
But what we really need is a use case.

00:03:24:10 - 00:03:29:24
the experience  I think  is very universal
that  we have Excel spreadsheets.

00:03:30:04 - 00:03:32:20
Confluence pages. Emails flying around.

00:03:32:20 - 00:03:35:20
the pattern of every six months 
compliance 

00:03:35:23 - 00:03:38:19
officer  coming round to a team
saying this application

00:03:38:19 - 00:03:41:20
you own  we need to know
it's it's conformance to controls.

00:03:41:20 - 00:03:44:19
And the whole process is very manual.
It's very labor intensive.

00:03:44:19 - 00:03:45:20
It's very expensive.

00:03:45:20 - 00:03:50:22
A stat I saw said that 10% of a bank's
costs are on compliance.

00:03:50:22 - 00:03:53:13
Now not all of that will be software
compliance.

00:03:53:13 - 00:03:55:18
But still  that's a huge chunk of change.

00:03:55:18 - 00:03:57:11
And it's not terribly scalable
at the moment.

00:03:57:11 - 00:03:59:20
as we'll see  there
are  regulatory pressures

00:03:59:20 - 00:04:03:12
which are pushing this  need to automate 
higher up the priority list.

00:04:03:16 - 00:04:06:15
Now  that particular project bank
actually went out of business.

00:04:06:15 - 00:04:09:11
not because of us 
I hope  so that project kind of went away 

00:04:09:11 - 00:04:11:08
but we wanted to keep going
with the project.

00:04:11:08 - 00:04:14:05
So we've been building on it
over the last year or so.

00:04:14:05 - 00:04:15:14
And as we talk to more and more people 

00:04:15:14 - 00:04:19:18
we find that  there does seem to be a need
for this  particular  solution.

00:04:19:23 - 00:04:22:17
we think it has a place in the ecosystem
around us.

00:04:22:17 - 00:04:26:06
I talked a little bit before about how
this is all in word docs  spreadsheets

00:04:26:06 - 00:04:27:02
and confluence.

00:04:27:02 - 00:04:30:09
The other big challenge is that if  I'm
a compliance officer 

00:04:30:19 - 00:04:33:23
I do not have the ability
to  like  a button

00:04:34:01 - 00:04:39:05
and have a readout of my current  audit
state as of today.

00:04:39:09 - 00:04:41:06
There are probably various tools
which help with this 

00:04:41:06 - 00:04:43:10
but there doesn't seem to be
a single  product

00:04:43:10 - 00:04:46:10
that's widely used that
allows allows people to do that.

00:04:46:11 - 00:04:49:24
And yet in so many other areas
of software  We have those dashboards.

00:04:50:02 - 00:04:52:09
And  you know  that's that's the way 
the way we work.

00:04:52:09 - 00:04:55:16
Auditing and compliance seems to be
lagging behind in this respect.

00:04:55:19 - 00:04:57:21
And the 
the challenge at the bottom there 

00:04:57:21 - 00:05:00:13
which is what OSCAL addresses
and why we've used us.

00:05:00:13 - 00:05:00:18
Because

00:05:00:18 - 00:05:04:14
there's no widely used common language
to describe governance risk and control.

00:05:04:14 - 00:05:08:09
as I mentioned before  this is becoming
more and more of a pressing need because

00:05:08:14 - 00:05:11:20
of  the broader context
around  regulatory pressures.

00:05:11:22 - 00:05:16:14
since 2008  regulators were very concerned
with  fiscal  stability 

00:05:16:19 - 00:05:19:07
financial stability  making sure the banks
don't run out of money.

00:05:19:07 - 00:05:22:21
And so the last ten  15 years 
they've been super focused on that.

00:05:23:00 - 00:05:25:14
Operational resilience 
has taken a backseat.

00:05:25:14 - 00:05:29:17
And I think we've seen effects of that
with their various outages and so on 

00:05:29:21 - 00:05:31:23
which has started to concern regulators
more and more.

00:05:31:23 - 00:05:35:24
So 2025  the EU is 

00:05:35:24 - 00:05:39:24
putting into place  what's called the DORA
Digital Operational Resilience Act.

00:05:39:24 - 00:05:43:23
Which is a set of  standards
that they expect 

00:05:44:02 - 00:05:46:14
the financial sector 
particularly to adhere to.

00:05:46:14 - 00:05:47:08
In the future.

00:05:47:08 - 00:05:50:06
exact
details of DORA are not clear In fact 

00:05:50:06 - 00:05:52:08
some of the language is quite vague 
but it's over

00:05:52:08 - 00:05:56:08
the next few years  we will see
a lot more focus around the ability to 

00:05:56:12 - 00:05:59:16
attest to your compliance in a way
that  is more real time.

00:05:59:16 - 00:06:02:10
There's language in there
which is much more  focused around

00:06:02:10 - 00:06:05:21
real time compliance rather than regular 
yearly checking and so on.

00:06:05:24 - 00:06:08:09
And the UK market
is doing a similar thing.

00:06:08:09 - 00:06:12:01
So our vision was continuous
compliance essentially prove

00:06:12:01 - 00:06:14:01
that controls are in place
and are functioning 

00:06:14:01 - 00:06:18:14
tracking in real time status and details 
and provide a framework around

00:06:18:14 - 00:06:19:24
which other tools can be built.

00:06:19:24 - 00:06:24:01
And  you know  ultimately the original
vision was  with this software in place 

00:06:24:03 - 00:06:26:15
you can just print off  a report
for your auditor 

00:06:26:15 - 00:06:27:19
without having to do any work.

00:06:27:19 - 00:06:29:11
automating that work for you.

00:06:29:13 - 00:06:32:11
So OSCAL was a no brainer for us.

00:06:32:11 - 00:06:34:21
we looked at various  ways
of handling this, we 

00:06:34:21 - 00:06:38:05
we found that everyone in the industry
is converging around  OSCAL

00:06:38:07 - 00:06:41:21
as the machine readable way
define and talk about these things.

00:06:41:21 - 00:06:45:16
So what you see in this  diagram
here is a  an entity relationship  map

00:06:45:16 - 00:06:47:05
that someone put together here.

00:06:47:05 - 00:06:50:19
in order to help out developers understand
what was going on  we use  OSCAL

00:06:50:24 - 00:06:52:22
as part of this  project  this product.

00:06:52:22 - 00:06:57:11
And particularly
we focus on the assessment plan area

00:06:57:13 - 00:06:59:07
the assessment area component.

00:06:59:07 - 00:07:03:00
But basically the middle right
is where we are focusing our efforts 

00:07:03:00 - 00:07:06:15
particularly on I've spoken to people 
in other organizations

00:07:06:15 - 00:07:09:17
who are writing  applications
around  OSCAL

00:07:09:19 - 00:07:13:08
control catalogs
and tracking relationships between those.

00:07:13:16 - 00:07:17:24
it's emerged that I think  could be part
of a wider ecosystem around  OSCAL.

00:07:18:01 - 00:07:19:17
But definitely the consensus
in the industry

00:07:19:17 - 00:07:22:17
was  was 100%
that  OSCAL is is that is the way to go.

00:07:22:19 - 00:07:25:16
We're also involved
with common cloud controls.

00:07:25:16 - 00:07:27:07
So I don't know if there are people here

00:07:27:07 - 00:07:29:21
who who have a relationship
with that project.

00:07:29:21 - 00:07:33:00
But obviously if there are common cloud
controls  And they're machine readable.

00:07:33:00 - 00:07:36:00
They could be imported into 
the tools that like this.

00:07:36:07 - 00:07:36:11
Yeah.

00:07:36:11 - 00:07:39:21
And also we use gRPC  to the plugins
in  in our system.

00:07:39:22 - 00:07:44:15
So that's a good segue into
the architecture of compliance framework.

00:07:44:16 - 00:07:47:23
So  The architecture for clients
is designed to be open.

00:07:48:19 - 00:07:50:22
So it's  microservices based.

00:07:50:22 - 00:07:51:24
It's not monolithic.

00:07:51:24 - 00:07:56:16
And we have at the moment four main
components that are of significance here.

00:07:57:03 - 00:08:00:05
on the left
there  you've got the configuration API 

00:08:00:05 - 00:08:05:11
which is the service that allows you
to define  what plugins you want to use 

00:08:05:11 - 00:08:09:07
what compliance checks you want to make
and how often they should run  and so on.

00:08:09:09 - 00:08:12:11
So those are the  that's the system
that  that that takes that.

00:08:12:15 - 00:08:15:19
It also receives messages
from the event bus.

00:08:15:19 - 00:08:18:20
So it takes messages from the event bus
and processes them

00:08:18:20 - 00:08:21:22
and places them
into the configuration database.

00:08:22:00 - 00:08:25:15
The configuration database
on the bottom left is  MongoDB.

00:08:25:20 - 00:08:28:20
So since  OSCAL is in Json 
we naturally 

00:08:28:21 - 00:08:31:20
want to use a document based  database.

00:08:31:20 - 00:08:35:05
We've understood from other people
who've tried to map 

00:08:35:09 - 00:08:38:14
 OSCAL to  relational database
that it's simply not worth it.

00:08:38:14 - 00:08:40:03
It's just too much effort.

00:08:40:03 - 00:08:43:09
we've we think correctly going with 
with a MongoDB solution.

00:08:43:12 - 00:08:47:17
MongoDB will also store as we'll see
later will store all the observations

00:08:47:17 - 00:08:50:22
and the findings 
that we get from running our checks.

00:08:51:00 - 00:08:55:19
So  the event bus in the middle  reason
we have an event bus  passing  messages

00:08:55:19 - 00:09:00:24
from System Runtime and the configuration
API into the database is because 

00:09:01:01 - 00:09:04:09
we want to allow other applications
to tap into that.

00:09:04:09 - 00:09:07:12
So  for example  we haven't done anything
around notifications for example.

00:09:07:16 - 00:09:10:22
we would like to be able
to let people easily tap into that.

00:09:11:01 - 00:09:14:01
Those messages when they come through
the bus and run whatever they want.

00:09:14:07 - 00:09:17:05
We imagine this to be used
by quite large enterprises.

00:09:17:05 - 00:09:19:22
and to have lots of other systems
they want to integrate with.

00:09:19:22 - 00:09:22:21
So that's 
part of the design architectural choices.

00:09:22:21 - 00:09:26:17
on the right the 
the assessment runtime is the service

00:09:26:17 - 00:09:28:22
which runs continuously in the background.

00:09:28:22 - 00:09:30:06
At the moment it's on a cron.

00:09:30:06 - 00:09:34:19
it runs checks  periodically
based on the schedule that's defined.

00:09:35:02 - 00:09:35:15
Check.

00:09:35:15 - 00:09:39:13
So  for example  if you have a 
if you want to check  your machines

00:09:39:15 - 00:09:42:23
a certain user  is not logged in
to a particular set of servers.

00:09:43:00 - 00:09:46:12
You define it there and you might run
that once a day  once a week 

00:09:46:15 - 00:09:49:23
or once a minutes  depending on your
the cadence that you would like.

00:09:49:23 - 00:09:53:10
The check
itself is created within the container.

00:09:53:12 - 00:09:56:10
and store that in a Docker
repository  a plugin store.

00:09:56:10 - 00:09:58:17
And then the assistant runtime pulls

00:09:58:17 - 00:10:02:06
the image container image
it needs applies the configuration.

00:10:02:10 - 00:10:05:10
runs the 
check against the resources on the right 

00:10:05:11 - 00:10:08:13
and then returns the result
to the event bus through

00:10:08:13 - 00:10:11:20
to the configuration API 
back down to the configuration database.

00:10:11:20 - 00:10:15:04
So these are the main  components
of the framework.

00:10:15:06 - 00:10:17:18
At the moment
we don't have a dashboard UI.

00:10:17:18 - 00:10:21:02
That's we started building one  but quite
frankly  we're not very good at that.

00:10:21:02 - 00:10:24:10
We're a back end  more of a back
end systems company not not writing

00:10:24:10 - 00:10:25:10
front ends.

00:10:25:10 - 00:10:28:01
So we think there's probably people
have a better place to do that.

00:10:28:01 - 00:10:30:16
So for now  we've parts
that just working on the core engine.

00:10:30:16 - 00:10:33:23
So I'm going to  show you a little walk
through  of what we've got 

00:10:34:06 - 00:10:36:04
we'll look at some code as well.

00:10:36:04 - 00:10:40:05
let me stop this share
and share my terminal with you.

00:10:40:11 - 00:10:41:21
this is a  menu.

00:10:41:21 - 00:10:44:04
So a little command line application
I wrote.

00:10:44:04 - 00:10:46:04
allow me to to demo this framework.

00:10:46:04 - 00:10:50:07
what I'm going to start by showing
is  let's have a look at the plans

00:10:50:07 - 00:10:50:22
that we've got.

00:10:50:22 - 00:10:54:18
So these are my assessment plans 
that are currently running on the system.

00:10:54:23 - 00:10:56:03
I actually first I'll show 

00:10:57:02 - 00:10:57:19
I don't know how many

00:10:57:19 - 00:11:00:19
people here are familiar with Kubernetes
or even canines.

00:11:00:21 - 00:11:03:15
the current system runs  on Kubernetes.

00:11:03:15 - 00:11:06:15
These are the four  containers
that you see running here.

00:11:06:19 - 00:11:10:17
A map to the four components in the
the architectures we saw.

00:11:11:03 - 00:11:14:03
It doesn't have to run in Kubernetes 
it's it's for  for us to deploy 

00:11:14:07 - 00:11:17:08
So we've got these  four things
running  in Kubernetes

00:11:17:11 - 00:11:20:11
within Kubernetes  in MongoDB 

00:11:21:07 - 00:11:23:02
we've got these plans defined.

00:11:23:02 - 00:11:28:08
So  my application queries the system
and returns  plans in the  the database.

00:11:28:08 - 00:11:29:15
Here we've got two plans.

00:11:29:15 - 00:11:32:20
one is called the  SSH assessment
plan for a demo 

00:11:33:00 - 00:11:36:03
and the other is an Azure
VM tag assessment plan.

00:11:36:05 - 00:11:40:09
The SSH assessment plan
simply logs onto server

00:11:40:15 - 00:11:44:20
and runs a command  and  returns
the results of that command.

00:11:44:22 - 00:11:46:11
the commands you run is configurable.

00:11:46:11 - 00:11:49:23
whatever you want to test
on your SSH server  you can test.

00:11:49:23 - 00:11:53:00
The Azure VM tag assessment
plan is an assessment plan

00:11:53:00 - 00:11:58:09
around  checking
whether  all VMs in as your account  as 

00:11:58:11 - 00:12:02:16
a data classification tag So that's the
most sort of generic  example

00:12:03:21 - 00:12:04:17
So  I'm going to

00:12:04:17 - 00:12:07:18
pick a plan to focus on by hitting P

00:12:08:13 - 00:12:13:01
and I'm going to focus
first on this SSH assessment plan.

00:12:13:05 - 00:12:15:21
And I'm just going to call it
SSH for the graph.

00:12:15:21 - 00:12:16:18
Okay.

00:12:16:18 - 00:12:20:06
So at the moment
that this particular plan is

00:12:20:06 - 00:12:23:06
running is configured to run every minute.

00:12:23:08 - 00:12:26:09
this graph tells us  it's
just an Ascii graph

00:12:26:12 - 00:12:29:22
we've got we've got one observation
per minute and zero findings.

00:12:30:02 - 00:12:34:07
this SSH plug  what it does
is  I'm going to log in to my server.

00:12:34:14 - 00:12:36:08
that's at home effectively.

00:12:36:08 - 00:12:39:23
And  the plug in throws an error
or throws a failure.

00:12:40:01 - 00:12:45:08
If there is someone logged in as Postgres
who is not running Postgres  database.

00:12:45:11 - 00:12:48:22
do a secret express  we've got 

00:12:49:02 - 00:12:53:01
various processes running under Postgres 
but they're all running the Postgres

00:12:53:01 - 00:12:54:02
database.

00:12:54:02 - 00:12:58:01
If someone nefariously
logs in as a Postgres user.

00:12:59:18 - 00:13:01:04
Then that shouldn't happen.

00:13:01:04 - 00:13:03:09
This is a problem.
We're out of compliance.

00:13:03:09 - 00:13:07:01
if I now go back to our  compliance
framework  engine 

00:13:07:06 - 00:13:09:07
then 
have to wait for the minute to roll over.

00:13:09:07 - 00:13:10:21
But in the meantime  I can show you.

00:13:10:21 - 00:13:13:03
Let's get all the observations.

00:13:13:03 - 00:13:16:08
And we can see that we've got
this is then querying the system

00:13:16:08 - 00:13:19:13
to get a subset of the Json out
that's useful to us.

00:13:19:13 - 00:13:23:08
So we can see that at 908 this morning 
that command  succeeded.

00:13:23:11 - 00:13:27:07
And if we scroll down to the bottom 
we see that for every minute.

00:13:27:16 - 00:13:29:02
Today it's succeeded.

00:13:29:02 - 00:13:30:22
Now  the clock should have rolled over.

00:13:30:22 - 00:13:34:09
So if I do a  graph
you can see now on the right

00:13:34:12 - 00:13:39:00
we've picked up that the findings has gone
up  gone up to one per minute.

00:13:39:02 - 00:13:42:02
So now we have one observation
for a minute and one funding for minute.

00:13:42:12 - 00:13:44:12
If I log out of that server.

00:13:45:21 - 00:13:47:13
if we wait a few seconds.

00:13:47:13 - 00:13:51:03
We should see that the graph returns.

00:13:51:09 - 00:13:54:09
As the minute passes back to  back down.

00:13:54:15 - 00:13:58:10
what we have there is  is an ability
to track and historically record 

00:13:58:12 - 00:14:01:10
whether we are conformance
to requirements.

00:14:01:10 - 00:14:04:07
And we can do it with 
with basically anything that's program.

00:14:04:07 - 00:14:06:16
next I want to show the  the other plan.

00:14:06:16 - 00:14:10:23
So forget the plans again
look at the VM tag assessment plan.

00:14:11:10 - 00:14:12:21
Yeah. Pick a plan.

00:14:12:21 - 00:14:17:01
So plan ID and then Azure VM.

00:14:18:11 - 00:14:20:09
So now I'm focusing on a different plan.

00:14:20:09 - 00:14:24:17
And if we do the graph thing again
we can see that got two observations

00:14:24:17 - 00:14:25:03
per minute.

00:14:25:03 - 00:14:29:16
So we've got two VMs running in Azure
got one finding minute.

00:14:30:03 - 00:14:34:24
So let me I think what I'll do is
I will share my full screen So.

00:14:36:07 - 00:14:39:07
So now if I go to my Azure.

00:14:41:17 - 00:14:44:07
Dashboard  you can see we've got two.

00:14:44:07 - 00:14:45:06
machines running here.

00:14:45:06 - 00:14:48:14
One is  uncompliant 
which I've pulled on compliant.

00:14:48:14 - 00:14:50:08
One and the other is machine.

00:14:50:08 - 00:14:52:21
Machine to which does have the tech.

00:14:52:21 - 00:14:55:22
So machine
two here has data classification secret.

00:14:55:22 - 00:14:57:01
Michaela, you got a hand up?

00:14:57:07 - 00:14:58:10
Yes  I have a question.

00:14:58:10 - 00:15:01:21
But I didn't mean to interrupt you in the
middle of your second part of the demo.

00:15:01:21 - 00:15:05:19
It was about the SSH  and I had one
previously about the cron jobs.

00:15:06:03 - 00:15:11:12
So when you were showing the SSH demo 
you highlighted the remediation.

00:15:11:12 - 00:15:13:18
Basically you logged out
and you had the remediation.

00:15:13:18 - 00:15:17:17
But historically 
the graph changed completely to a 

00:15:17:17 - 00:15:20:17
One did not persist the finding.

00:15:20:17 - 00:15:24:13
Is there a way of persisting the finding
because nobody can stay with the eyes

00:15:24:13 - 00:15:27:12
24 hours on those graphs. I'm not sure.

00:15:27:12 - 00:15:29:10
Why it did that,
that it's never done that before?

00:15:29:10 - 00:15:32:15
So this is a sorry for
for catching on that.

00:15:32:16 - 00:15:34:14
No  no it bothered me too.

00:15:34:14 - 00:15:37:11
But I don't understand why
that doesn't show up.

00:15:37:11 - 00:15:39:08
It may be an artifact of timings.

00:15:39:08 - 00:15:40:02
But I'm not.

00:15:40:02 - 00:15:42:00
I can't answer that now.

00:15:42:00 - 00:15:44:24
You can see what's the other one?

00:15:44:24 - 00:15:46:17
That the job restarted.

00:15:46:17 - 00:15:47:13
I don't know.

00:15:47:13 - 00:15:50:03
I would like to debug it
real time. Yeah.

00:15:50:03 - 00:15:54:02
you can see that with this one earlier 
I did  add the tag to test it.

00:15:54:06 - 00:15:57:12
This was me running earlier 
and it does persist.

00:15:57:14 - 00:15:58:12
the data is there.

00:15:58:12 - 00:16:00:23
I just I'm not sure why 
the graph didn't work here.

00:16:00:23 - 00:16:03:11
Yeah  because of the demo in
May I ask the second question.

00:16:03:11 - 00:16:04:07
Sure. Of course.

00:16:04:07 - 00:16:09:11
So  the mechanism for triggering 
or detecting our runs a cron job.

00:16:09:11 - 00:16:11:14
So you can  set the cadence.

00:16:11:14 - 00:16:15:08
But do you have any other mechanism
that could trigger based on the  OSCAL?

00:16:15:13 - 00:16:16:06
Artifacts?

00:16:16:06 - 00:16:18:10
When those are changing 
that could trigger

00:16:18:10 - 00:16:22:18
exactly partial reassessment based
on those changes or something to come.

00:16:22:21 - 00:16:25:10
It's not something we've implemented 
for sure.

00:16:25:10 - 00:16:27:03
Yeah. There is no reason.

00:16:27:03 - 00:16:30:16
The only reason we use a cron trigger
is because it's the first thing

00:16:30:16 - 00:16:33:11
we thought of. essentially implementing.
That wouldn't be too hard.

00:16:33:11 - 00:16:34:24
You'd you'd have something 

00:16:34:24 - 00:16:38:06
triggered off the database
that would send a message the message bus.

00:16:38:09 - 00:16:41:09
The message bus would send a message
to the assessment runtime 

00:16:41:10 - 00:16:43:03
it would run the test

00:16:43:03 - 00:16:47:02
because this is part of the core
of the power of OSCAL allowing you

00:16:47:02 - 00:16:50:07
to detect what a change happened
and to propagate that

00:16:50:09 - 00:16:53:11
through that backwards traceability 
native backwards traceability.

00:16:53:12 - 00:16:56:07
So that will be fantastic.
And that can be added.

00:16:56:07 - 00:16:58:12
as I say  it's
not a finished product clearly.

00:16:58:12 - 00:16:59:16
We are driven very much

00:16:59:16 - 00:17:03:06
by our conversations with various people
who are interested in using it.

00:17:03:12 - 00:17:05:18
So at the moment
we're talking to an energy company 

00:17:05:18 - 00:17:09:08
that they don't want to to this method of
logging into things and looking at them.

00:17:09:10 - 00:17:11:05
They want to have agents
running on machines.

00:17:11:05 - 00:17:13:02
that's driving the work in that direction.

00:17:13:02 - 00:17:17:02
So yeah  I mean  in principle
that is conformant with the architecture.

00:17:17:10 - 00:17:20:10
There's no there would be no difficulty
in  in producing that.

00:17:20:11 - 00:17:22:10
But yeah  we're driven
very much by the needs

00:17:22:10 - 00:17:26:09
the users
and we have very interested in use cases.

00:17:26:09 - 00:17:29:13
personally  I'm very interested since it's
open source to 

00:17:29:16 - 00:17:32:18
to experiment with that on the pilot
that we currently have Yeah.

00:17:32:19 - 00:17:34:00
Absolutely. Very interesting.

00:17:34:00 - 00:17:36:08
But some simple OSCAL artifacts.

00:17:36:08 - 00:17:38:07
Okay. So yes  have two machines.

00:17:38:07 - 00:17:40:01
Let me just maximize this.

00:17:40:01 - 00:17:41:23
So we have two machines running.

00:17:41:23 - 00:17:44:23
A fixed that one is broken and compliant.

00:17:45:00 - 00:17:47:08
One is compliant.
So we have two observations.

00:17:47:08 - 00:17:49:20
One finding earlier
our fixed  the machine.

00:17:49:20 - 00:17:51:02
And so we went down to zero.

00:17:51:02 - 00:17:54:02
And then I deleted the tag
and we went back to one.

00:17:54:03 - 00:17:58:00
If we get all observations 
you can see that the observations

00:17:58:00 - 00:17:59:03
are recorded in the system.

00:17:59:03 - 00:18:02:11
So  you know  at 3:28  virtual machine

00:18:02:15 - 00:18:06:08
as a data classification tag 
virtual machine  compliant.

00:18:06:08 - 00:18:10:02
So machine two has a data classification
tag  compliant  does not have a data

00:18:10:02 - 00:18:11:04
classification tag.

00:18:11:04 - 00:18:13:08
this is what use to create the graph.

00:18:13:08 - 00:18:14:24
We take the collected time.

00:18:14:24 - 00:18:18:04
we check whether it's a finding  not 
whether it's successful or not.

00:18:18:07 - 00:18:22:08
we check whether a finding exists
and then and then graph it  if I look at

00:18:22:08 - 00:18:28:02
get old findings  you can see  there are
these are findings taken from a MongoDB.

00:18:28:07 - 00:18:29:19
And it's always on compliant one.

00:18:29:19 - 00:18:31:22
So if I now go to.

00:18:32:23 - 00:18:35:23
My uncompliance machine.

00:18:37:10 - 00:18:39:04
And look at tags

00:18:39:04 - 00:18:43:00
and add it say to it classification tag

00:18:43:07 - 00:18:46:07
I'm going to click open and apply it.

00:18:46:19 - 00:18:48:22
Okay. So now we have the tag here.

00:18:48:22 - 00:18:53:13
If I go back I'm going to have to wait
half a minute for it to pick up.

00:18:53:13 - 00:18:58:05
In the meantime  let's show quick
look at the MongoDB just to show

00:18:58:19 - 00:19:02:11
in this MongoDB  see if I can remember
the command MongoDB  which.

00:19:04:03 - 00:19:06:05
So now logged into MongoDB 

00:19:06:05 - 00:19:09:13
I'm going to use the compliance
framework database.

00:19:09:14 - 00:19:14:06
And I do DB plan dot find one.

00:19:15:22 - 00:19:17:22
Then we've got this enormous

00:19:17:22 - 00:19:21:21
set of we have we have one document
which represents an assessment plan.

00:19:21:21 - 00:19:24:12
And we have all these observations
listed down here.

00:19:24:12 - 00:19:27:23
And you can see that
they conform more closely to the  OSCAL.

00:19:27:23 - 00:19:29:06
The full OSCAL schema.

00:19:29:06 - 00:19:30:21
But we've got 
lots of stuff missing there.

00:19:30:21 - 00:19:34:23
But but over time we'll  we'll add this
as the  as the implementation grows.

00:19:35:00 - 00:19:36:24
Now  this is the sort of the back end.

00:19:36:24 - 00:19:39:19
This is what stores
all the information  what we're querying

00:19:39:19 - 00:19:41:08
as we look at the demo.

00:19:41:08 - 00:19:46:02
Now if I go  yeah  you can see again
here  our findings have gone down to zero

00:19:46:02 - 00:19:49:08
as we fixed it. if I leave that tag.

00:19:52:00 - 00:19:53:24
And turn.

00:19:53:24 - 00:19:56:06
Being at the half minute as it comes back.

00:19:56:06 - 00:20:00:21
In the meantime  just show you
the code For the particular plugin.

00:20:01:02 - 00:20:03:21
So we have a  compliance
dash framework is the GitHub

00:20:03:21 - 00:20:06:22
organization under
which we've got these various code bases.

00:20:07:02 - 00:20:08:22
The Azure CF plugin.

00:20:08:22 - 00:20:13:01
This is the code that that gets pulled
and run to check those tags.

00:20:13:02 - 00:20:16:21
the entirety of this plugin
is 263 lines of code 

00:20:17:02 - 00:20:18:21
and most of it's fairly easy to follow.

00:20:18:21 - 00:20:21:22
The key thing  to describe is that 

00:20:21:22 - 00:20:24:23
use the  Terraform model  of plugins.

00:20:24:23 - 00:20:29:00
So  it has a very similar  setup to 
to Terraform.

00:20:29:04 - 00:20:32:08
Plugins for two main functions
to consider evaluate

00:20:32:14 - 00:20:35:24
which essentially returns
all the VMs a subscription.

00:20:35:24 - 00:20:38:20
So this is the thing
that goes and gets all the components.

00:20:38:20 - 00:20:42:08
This particular check
will apply to and returns those subjects.

00:20:42:08 - 00:20:43:24
Back to the the engine.

00:20:43:24 - 00:20:46:16
Once the engine
has those  for each component

00:20:46:16 - 00:20:49:07
that's relevant to this 
execute the check.

00:20:49:07 - 00:20:51:00
when we execute the check 

00:20:51:00 - 00:20:54:13
retrieving the tags and then  Determining
whether we have a tag or not.

00:20:54:16 - 00:20:59:09
If we do not have a tag  not has tag 
then we create an observation

00:20:59:13 - 00:21:02:18
and a finding and appends
those to those objects

00:21:02:24 - 00:21:07:09
and then pass those objects back
to the result  back to the  to the client.

00:21:07:11 - 00:21:10:15
So it's fairly simple
to implement your own check.

00:21:10:23 - 00:21:13:21
I might get Christiaan to talk a little bit
how he wants to build on this 

00:21:13:21 - 00:21:15:03
and change it slightly.

00:21:15:03 - 00:21:17:05
So this is very much
a proof of concept idea.

00:21:17:05 - 00:21:19:21
For some of the simpler use cases  we had.

00:21:19:21 - 00:21:23:08
But we're trying to make this more robust
for different environments  including 

00:21:23:15 - 00:21:25:00
ones that run agents.

00:21:25:00 - 00:21:27:23
Now let's look at graph. Graph. Yeah.

00:21:27:23 - 00:21:30:20
You can see that
the graph has come back  to findings.

00:21:30:20 - 00:21:33:06
Okay. Christiaan do you want to talk?

00:21:33:06 - 00:21:36:05
No  I don't have anything particular
I want to share.

00:21:36:05 - 00:21:38:22
I could share a diagram of
of what it looks like.

00:21:38:22 - 00:21:41:05
Matthew asked a question in the chat.

00:21:41:05 - 00:21:43:00
If you wanted to answer that. Oh  okay.

00:21:43:00 - 00:21:45:18
So  yeah 
this is built  entirely around  sorry.

00:21:45:18 - 00:21:49:09
Is is the  OSCAL framework something in
particular beyond  OSCAL itself?

00:21:49:09 - 00:21:50:17
No  not at all. Okay.

00:21:50:17 - 00:21:54:15
So yeah  essentially this system
is a testing framework built around SQL.

00:21:54:20 - 00:21:58:05
So it's designed to be specifically
for the compliance.

00:21:58:05 - 00:22:00:09
Arena security and compliance arena.

00:22:00:09 - 00:22:03:11
think that where the disconnect was 

00:22:03:11 - 00:22:07:05
how the  OSCAL artifacts 
which was something that are propagating

00:22:07:05 - 00:22:13:01
or the information in those artifacts
is propagated to to to drive test.

00:22:13:04 - 00:22:14:01
Yeah. No.

00:22:14:01 - 00:22:15:19
So you do have the SSPs right?

00:22:15:19 - 00:22:18:07
The this was probably where it can go
deeper.

00:22:18:07 - 00:22:23:05
So what is in this SSPs
is whatever the tests are doing.

00:22:23:06 - 00:22:25:17
Okay. So  my plans. So yeah. Yeah.

00:22:25:17 - 00:22:27:20
We haven't implemented
all that side of things.

00:22:27:20 - 00:22:30:19
 OSCAL is rather big as I'm sure you know.

00:22:30:19 - 00:22:35:09
And to implement all that functionality 
would be  would be too much room for us.

00:22:35:09 - 00:22:37:15
We don't have people working
full time on this.

00:22:37:15 - 00:22:40:11
This is very much a kind of bench project
for us at the moment.

00:22:40:11 - 00:22:43:16
Maybe that will change if we get  people
paying for development on it.

00:22:43:20 - 00:22:44:08
at the moment

00:22:44:08 - 00:22:47:19
where we're not we're not implementing
the whole of the  OSCAL in this 

00:22:47:23 - 00:22:51:08
I guess the  the driver for this was
I am a compliance officer.

00:22:51:10 - 00:22:52:13
I want to be able to know

00:22:52:13 - 00:22:54:24
which of machines are out of compliance
at the moment.

00:22:54:24 - 00:22:57:02
a primary goal  is not to implement
the whole of OSCAL.

00:22:57:02 - 00:23:01:08
It's to use  OSCAL as a tool
allows us integrate with with other tools.

00:23:01:12 - 00:23:03:16
having spoken to people
at particularly Australian banks 

00:23:03:16 - 00:23:06:07
because in Australia
then now as I'm sure many know 

00:23:06:07 - 00:23:09:22
they are now regulators are now publishing
regulations in OSCAL.

00:23:09:22 - 00:23:13:10
So we've talked to a few banks 
and institutions in Australia who 

00:23:14:00 - 00:23:17:01
building stuff around the control catalog
and having spoken to them 

00:23:17:07 - 00:23:19:17
they say like  oh  it's great
you're doing that side of things 

00:23:19:17 - 00:23:21:00
the assessment plans  side of things.

00:23:21:00 - 00:23:24:00
Maybe we can merge our projects
some point in the future.

00:23:24:03 - 00:23:26:03
at the moment it's too big of a thing
to chew.

00:23:26:03 - 00:23:27:18
Chew often in our spare time.

00:23:27:18 - 00:23:29:22
No  I think it's a really good question.

00:23:29:22 - 00:23:32:05
Phenols there
and just wanted to highlight.

00:23:32:05 - 00:23:36:16
So you were focusing on the assessment 
planning and the running the assessment

00:23:36:16 - 00:23:40:17
and capturing the results
to be able to integrate from the other end

00:23:40:19 - 00:23:46:00
with  control
catalogs  profiles and implementations

00:23:46:00 - 00:23:50:13
coming also in OSCAL and having that
foundational infrastructure platform

00:23:50:13 - 00:23:55:23
that is able to support that process
and merging those two aspects of it.

00:23:56:00 - 00:24:00:17
When it comes to phenols  is there
additional vision on how to move forward?

00:24:00:17 - 00:24:05:03
And what I wanted to add to what you are
mentioning  the regulations

00:24:05:07 - 00:24:07:07
for financial sector in Australia.

00:24:07:07 - 00:24:11:21
I think that what they're looking for
is the cry  the profile

00:24:11:21 - 00:24:17:00
that is for financial sector
to be represented in OSCAL and map

00:24:17:00 - 00:24:21:09
those  to 
either as a catalog or map to controls

00:24:21:09 - 00:24:25:13
to say the cards that are represented
or need to be  satisfied.

00:24:25:15 - 00:24:29:18
in on the Fenos question 
if Fenos produces a set of common

00:24:29:18 - 00:24:33:10
cloud controls apply across the industry 
it means that this product

00:24:33:10 - 00:24:36:10
will then become more of an out of the box
thing that people can use.

00:24:36:10 - 00:24:39:10
would have a bunch of tests
that would be specifically applied

00:24:39:10 - 00:24:43:16
to those common cloud controls 
so that we could cover 30 -40% of 

00:24:43:20 - 00:24:45:16
people's use cases for this.

00:24:45:16 - 00:24:47:19
There will be other people
who have internal regulations.

00:24:47:19 - 00:24:49:02
I used to work for Barclays

00:24:49:02 - 00:24:51:01
they used to collect the world's
regulations

00:24:51:01 - 00:24:51:15
and then turn it

00:24:51:15 - 00:24:55:02
into an internal set of regulations 
So they had a slightly different way of

00:24:55:02 - 00:24:55:16
doing it.

00:24:55:16 - 00:24:58:11
Others will be using industry
standard  controls

00:24:58:11 - 00:25:00:23
that we  would like to be able
to plug in and support.

00:25:00:23 - 00:25:03:11
But frankly 
we don't have the knowledge of  OSCAL yet

00:25:03:11 - 00:25:06:23
really  say exactly how that will fit
or fit together in the future.

00:25:06:23 - 00:25:10:14
think the power of  OSCAL
is that these documents can be sent to

00:25:10:14 - 00:25:14:14
and fro  and other other systems could
eventually pick up those pieces of it.

00:25:14:17 - 00:25:19:11
I've learned that auditing compliance is
a even bigger topic than I thought it was.

00:25:19:14 - 00:25:21:21
I think there's going to be
a lot of different tools around here.

00:25:21:21 - 00:25:24:19
In fact  one of the confusions
we have when we talk to people about this

00:25:24:19 - 00:25:29:10
is they think it's like a security
framework  like a reactive control system.

00:25:29:10 - 00:25:32:09
And it's it's not it's literally
about reporting your state.

00:25:32:09 - 00:25:35:03
And that's the really the limit of our
of our interest.

00:25:35:03 - 00:25:39:14
We're not going to be  producing a system
which will then  act as a reactive or 

00:25:39:17 - 00:25:40:23
preventative control. Right.

00:25:40:23 - 00:25:45:02
So for other interested parties
interested on  phenols 

00:25:45:11 - 00:25:49:18
to collaborate with them
to guide their OSCAL adoption there.

00:25:49:18 - 00:25:53:19
And we do have on the call
some other members that are supporting

00:25:53:19 - 00:25:58:24
that effort and representation
of the common controls in OSCAL

00:25:58:24 - 00:26:01:00
So there's still a lot of work to do.

00:26:01:00 - 00:26:04:14
And also collaborating
with Australian  financial sector.

00:26:04:14 - 00:26:06:19
Chris  do you want to talk a little bit
about future direction?

00:26:06:19 - 00:26:08:15
Yes. So one of the things we've noticed

00:26:08:15 - 00:26:12:11
with the framework as we've built it 
as far as it's good and we can do 

00:26:12:18 - 00:26:15:11
you know  control testing
and have a bit of flexibility

00:26:15:11 - 00:26:18:12
in that control testing 
to sort of specify exactly what we're

00:26:18:12 - 00:26:21:15
looking for  in terms of controls
being quite a loose term 

00:26:21:17 - 00:26:23:24
you could be testing anything
and then feeding that back

00:26:23:24 - 00:26:25:10
into the compliance framework.

00:26:25:10 - 00:26:29:18
what we've noticed is for
if we're looking at  large fleets of

00:26:29:24 - 00:26:33:00
if you're thinking about machines
and testing security controls or machines

00:26:33:00 - 00:26:35:07
or specific settings or machines
or anything like that 

00:26:35:07 - 00:26:37:19
as soon as you have a large enough fleet 
it becomes sort of 

00:26:37:19 - 00:26:40:09
not as viable
to log into each of those machines

00:26:40:09 - 00:26:43:04
and check those things
as often as you would.

00:26:43:04 - 00:26:45:06
second issue is access to those machines.

00:26:45:06 - 00:26:47:01
So some businesses might be okay
with that 

00:26:47:01 - 00:26:50:18
but other businesses are not okay
with having access to be able to log

00:26:50:18 - 00:26:54:15
into a large percentage of their fleet
in order to check certain things.

00:26:54:23 - 00:26:58:16
the sort of opposite approach
is a machine itself reporting its control

00:26:58:16 - 00:27:02:12
checks back to the compliance framework
rather than going to check them.

00:27:02:14 - 00:27:06:00
And the second one
was being able to specify custom policies

00:27:06:00 - 00:27:08:22
without having to mess around with plugins
that are doing certain things.

00:27:08:22 - 00:27:12:03
plug ins to the compliance framework
essentially become data collectors.

00:27:12:03 - 00:27:13:12
And then policy evaluators.

00:27:13:12 - 00:27:16:15
so we extending that assessment piece
a little bit

00:27:16:17 - 00:27:18:21
to be able to run in different places.

00:27:18:21 - 00:27:22:01
So you could have one instance
of that running to check Azure

00:27:22:01 - 00:27:24:16
VMs and tags on Azure VMs
and that sort of thing.

00:27:24:16 - 00:27:26:17
And you could
then have separate instances 

00:27:26:17 - 00:27:29:20
sort of agents on each of your machines
to then report

00:27:29:20 - 00:27:33:08
certain policy checks and data
checks back to the compliance framework.

00:27:33:08 - 00:27:37:05
And then you could have in CI  CD
or somewhere in your SDLC 

00:27:37:05 - 00:27:39:05
if you're generating security audits

00:27:39:05 - 00:27:42:15
or if you're doing security scans 
vulnerabilities  scans on your software 

00:27:42:18 - 00:27:43:12
anything like that 

00:27:43:12 - 00:27:46:19
you could then run it there to also report
back to the compliance framework.

00:27:46:19 - 00:27:50:03
So you'd have the different plugins
which understand different data formats

00:27:50:03 - 00:27:51:14
and different controls
and different things

00:27:51:14 - 00:27:55:04
that are being checked for  and be able
to push information about your control 

00:27:55:04 - 00:27:57:02
checking
from all of these different places

00:27:57:02 - 00:27:59:23
instead of having one thing
trying to go out and check

00:27:59:23 - 00:28:03:00
you could have these systems
feeding back into compliance framework.

00:28:03:00 - 00:28:06:14
All right  so elaborating
asking around the vision that you have 

00:28:06:14 - 00:28:09:14
when the components are reporting 

00:28:09:14 - 00:28:13:20
you have to have a way of checking against
what is expected to be right.

00:28:13:20 - 00:28:18:06
Not the report is not taken
the status quo and move forward with that.

00:28:18:06 - 00:28:19:21
So you have to compare that.

00:28:19:21 - 00:28:21:21
How are you going to identify

00:28:21:21 - 00:28:26:05
which ones are the ones that have findings
and observations?

00:28:26:05 - 00:28:29:06
Because in
is there a vision of being able to do so?

00:28:29:06 - 00:28:33:02
Because in this example with two VMs
there is a finding but was not telling

00:28:33:02 - 00:28:34:11
exactly is 1 or 2.

00:28:34:11 - 00:28:37:17
Are you going to have to have the system
to report it to me?

00:28:37:17 - 00:28:40:10
The one that has the problem
or can that be captured?

00:28:40:10 - 00:28:41:18
Not in that the extend

00:28:41:18 - 00:28:44:22
that's part of the functionality 
because you have a thousand VMs 

00:28:44:22 - 00:28:46:07
or you're not going to be able to log

00:28:46:07 - 00:28:49:10
into every single one
to see which one had that finding. Yes.

00:28:49:10 - 00:28:52:14
So  the idea with this  agent
sort of pushing information 

00:28:52:14 - 00:28:56:08
especially if you're checking on a local
machine  is the results that it sends back

00:28:56:08 - 00:28:57:12
to compliance framework.

00:28:57:12 - 00:29:01:15
Because we built into the plugin 
we can essentially set any parameters

00:29:01:15 - 00:29:05:18
or data points in that 
including hostnames or  which specific

00:29:05:18 - 00:29:07:14
machine is sending that data

00:29:07:14 - 00:29:10:16
we can identify which machine
is out of compliance  for example 

00:29:10:16 - 00:29:14:09
out of the set of policies that have been
defined for what a machine should

00:29:14:19 - 00:29:15:11
and should not be.

00:29:15:11 - 00:29:17:11
So be able to identify those machines.

00:29:17:11 - 00:29:20:12
The other aspect of that
which I've thought a little bit about  is

00:29:20:12 - 00:29:23:12
also this idea of an inventory of assets.

00:29:23:15 - 00:29:27:18
manager of a cloud infrastructure team
might want compliance

00:29:27:18 - 00:29:29:16
on all of the machines
that they have in Azure.

00:29:29:16 - 00:29:30:17
But how are they sure

00:29:30:17 - 00:29:34:13
that all of the machines that they have in
Azure are reporting their policy status

00:29:34:13 - 00:29:36:17
and their compliance status
back to the compliance framework?

00:29:36:17 - 00:29:38:07
they need to compare the two lists

00:29:38:07 - 00:29:40:02
to each other
to make sure that everything is there.

00:29:40:02 - 00:29:43:22
this is something that I still have
in my mind about this inventory idea

00:29:44:00 - 00:29:45:16
and merging those things together.

00:29:45:16 - 00:29:48:21
So when the controls are reported back 
they will be reporting who they are

00:29:48:24 - 00:29:50:07
from that perspective as well?

00:29:50:07 - 00:29:52:20
There's just one thing
I'd like to clear up.

00:29:52:20 - 00:29:57:04
I think the reason that the graph did
not show  we go back to the plan  well 

00:29:57:05 - 00:30:01:24
the reason the graph did not show
the historical failure is the granularity.

00:30:02:10 - 00:30:03:12
has been running all day.

00:30:03:12 - 00:30:05:06
So I have hundreds of observations.

00:30:05:06 - 00:30:09:03
And I think the granularity of graph
into tool doesn't allow us to see that.

00:30:09:03 - 00:30:11:00
And that's why it doesn't show up.

00:30:11:00 - 00:30:14:02
I log out again now and yeah 

00:30:14:02 - 00:30:17:19
hopefully will have been long enough  but
essentially it's  too short a time frame.

00:30:17:19 - 00:30:20:11
Usually I start the demo
like ten minutes before.

00:30:20:11 - 00:30:22:24
So there's only ten units of time.

00:30:22:24 - 00:30:25:02
this time  yeah  there's many hundreds.

00:30:25:02 - 00:30:26:05
So it just gets lost.

00:30:26:05 - 00:30:29:15
And also on the point about 
which machine was was broken when 

00:30:29:19 - 00:30:33:07
we do store that information 
I think you might see the a moment ago.

00:30:33:12 - 00:30:35:04
But it's only
in the description of the moment.

00:30:35:04 - 00:30:38:12
We'd have to  collect the components
and store those in the database 

00:30:38:12 - 00:30:39:20
but just isn't done yet.

00:30:39:20 - 00:30:42:09
when reporting on it  you're
going to want to know what was broken.

00:30:42:09 - 00:30:42:19
When.

00:30:42:19 - 00:30:45:07
The other thing
that's come up in that context is  we

00:30:45:07 - 00:30:46:18
we had a requirement from a bank.

00:30:46:18 - 00:30:49:09
They wanted to be able to put exceptions

00:30:49:09 - 00:30:53:06
on components  for particular controls
and then reports on that.

00:30:53:06 - 00:30:55:05
I don't know
if there's a concept of that in scope.

00:30:55:05 - 00:30:57:20
But let's say you have a machine
that has something running as root

00:30:57:20 - 00:31:00:03
generally shouldn't be 
but has to for a particular reason 

00:31:00:03 - 00:31:02:18
then you'd want to flag that  component
as exempt.

00:31:02:18 - 00:31:03:00
Sure.

00:31:03:00 - 00:31:06:17
You if you define that  if you tailor
the controls for that component 

00:31:06:17 - 00:31:10:04
of course  is going to follow
whatever the assessment plan says.

00:31:10:10 - 00:31:13:05
So that's the mechanism
that I was mentioning earlier.

00:31:13:05 - 00:31:17:10
When you have the need for such exception 
then the  OSCAL artifacts

00:31:17:10 - 00:31:21:17
are going to document that that would be
a change for that particular component.

00:31:21:17 - 00:31:26:13
Then it's going to assess only what
to change to make sure that is in place.

00:31:26:13 - 00:31:27:13
Could be the opposite.

00:31:27:13 - 00:31:29:17
Right everything was running with pseudo.

00:31:29:17 - 00:31:33:02
And then all of a sudden
have the need to remove some of them from 

00:31:33:03 - 00:31:34:04
elevated credentials.

00:31:34:04 - 00:31:39:17
So  being able to capture that and trigger
automatic reassessment or auditing

00:31:39:17 - 00:31:43:11
of only the things that were changes
part of the power of OSCAL.

00:31:43:11 - 00:31:44:01
So Yeah.

00:31:44:01 - 00:31:47:01
And the other thing that's come up
is tracking those changes over time.

00:31:47:06 - 00:31:49:13
knowing which  things were checked
and which time.

00:31:49:13 - 00:31:52:15
And then again  yeah  there's a lot of 
reporting challenges around that.

00:31:53:03 - 00:31:54:08
Thank you for this  presentation.

00:31:54:08 - 00:31:57:01
I think it's incredible.
And it's good to see that you're 

00:31:57:01 - 00:31:58:21
leveraging
kind of the other half of OSCAL.

00:31:58:21 - 00:32:00:12
The operational recording side.

00:32:00:12 - 00:32:02:05
One of the questions I have is 

00:32:02:05 - 00:32:06:09
how in the compliance framework 
do you connect to specific test

00:32:06:09 - 00:32:10:03
that you execute to the control
that it's intended to satisfy?

00:32:10:03 - 00:32:11:23
Obviously 
you need to have the auditor involved.

00:32:11:23 - 00:32:13:08
It's not just a technical problem.

00:32:13:08 - 00:32:15:04
how do you manage that configuration?

00:32:15:04 - 00:32:18:09
You may also have to test same control
differently on different systems 

00:32:18:09 - 00:32:20:17
depending on lots of things. Yeah.

00:32:20:17 - 00:32:22:07
The short answer is we don't yet.

00:32:22:07 - 00:32:23:11
We haven't got around to it.

00:32:23:11 - 00:32:23:18
Yeah.

00:32:23:18 - 00:32:25:23
what I was talking about earlier
with respect to 

00:32:25:23 - 00:32:28:03
we're not implementing
the whole of OSCAL.

00:32:28:03 - 00:32:29:09
I didn't think that would work.

00:32:29:09 - 00:32:31:23
And we haven't got the resources
to do that at the moment.

00:32:31:23 - 00:32:35:05
we just say what's out of compliance 
based on the configuration.

00:32:35:09 - 00:32:37:13
then it's up to the user to map
that back to the control.

00:32:37:13 - 00:32:39:14
But ultimately 
yeah  that's the dream. Okay.

00:32:39:14 - 00:32:41:00
to answer your question  Robert 
a little bit

00:32:41:00 - 00:32:42:23
more is
this is something that I have considered

00:32:42:23 - 00:32:45:02
because when we do feed
control information back 

00:32:45:02 - 00:32:47:17
we also need to understand
which controls are applicable.

00:32:47:17 - 00:32:50:13
And we can't build those controls
necessarily into plugins

00:32:50:13 - 00:32:52:20
or that sort of thing 
because the controls

00:32:52:20 - 00:32:55:07
might be very different
in different places  different countries.

00:32:55:07 - 00:32:56:05
Yeah  you know all that.

00:32:56:05 - 00:33:00:07
So we might not have all the keys
and we don't want to know everything

00:33:00:07 - 00:33:01:10
that you control wise.

00:33:01:10 - 00:33:03:22
And so one of the things
I've been working on in building and 

00:33:03:22 - 00:33:06:23
and hopefully we'll be able to  show
this a little bit more in the future

00:33:06:23 - 00:33:10:24
is actually specifying which controls fall
within which policies you're running.

00:33:10:24 - 00:33:14:19
So if you're running a data check on a
VM to make sure that it's not password

00:33:14:19 - 00:33:16:23
accessible  that it needs
some sort of encryption along

00:33:16:23 - 00:33:19:14
the way  can also specify
what control that applies to.

00:33:19:14 - 00:33:21:07
So  IA-2 whichever.

00:33:21:07 - 00:33:25:03
And as soon as it checks that policy 
if it passes  it gives positive result 

00:33:25:03 - 00:33:28:18
then back for the IA-2 to control
for that specific instance of a machine.

00:33:28:23 - 00:33:32:18
the same for failure of it to say  right 
one of the checks on control

00:33:32:18 - 00:33:35:16
IA-2 has failed.
then that feeds back into that system.

00:33:35:16 - 00:33:38:22
But you can essentially define
which controls the policy is for.

00:33:39:00 - 00:33:40:05
perfect. Thank you.

00:33:40:05 - 00:33:44:11
So if I may add to that 
actually  the assessment plan 

00:33:44:11 - 00:33:47:09
if you have it
and you use that one to identified

00:33:47:09 - 00:33:52:04
what are tests that you have to run  it's
going to link using the  OSCAL native

00:33:52:04 - 00:33:56:10
traceability to the system security plan
that implements the control and tells you

00:33:56:10 - 00:33:58:01
how the control was implemented

00:33:58:01 - 00:34:02:09
into the control itself 
coming from a profile or from a catalog.

00:34:02:12 - 00:34:03:23
that is built into OSCAL.

00:34:03:23 - 00:34:07:03
And that will allow you to say exactly
what is the control

00:34:07:03 - 00:34:09:11
or the part of the control
that you are  testing.

00:34:09:11 - 00:34:12:24
Because you are using an assessment plan
that was rudimentary 

00:34:13:01 - 00:34:17:03
redesign at this point the demo purpose 
probably that was the reason.

00:34:17:05 - 00:34:20:12
So with that
I would like to thank our presenters.

00:34:20:12 - 00:34:23:07
Very interesting
and very good to a conversation

00:34:23:07 - 00:34:26:09
and to our audience
who are joining us again today.

00:34:26:09 - 00:34:28:15
are looking forward
to see how this is going to evolve.

00:34:28:15 - 00:34:33:15
And hopefully it being an open source
that gets a lot of other  hands

00:34:33:15 - 00:34:35:21
that will help 
drive this  project forward.