My #KubeCon talk from Amsterdam a few weeks ago is now up on YouTube! The #EUCS — a compliance certification scheme for service providers in the cloud — is on its way, and will have a big impact on how organizations work with #security, #compliance and #automation. A holistic framework like the EUCS provides #policy controls applicable to the whole stack. How would we codify and enforce such rules?

#OPA #PolicyAsCode #Rego #OSCAL @enisa_eu

https://www.youtube.com/watch?v=XoWf4QcSbDw

I really do like the idea of #OSCAL — a standardized, machine readable format (JSON/YAML/XML) to describe:

1. Compliance / security / privacy requirements
2. The components / methods used to achieve said compliance
3. The methods used to assess and report compliance

However, the people at #NIST et al. advocating this desperately need to learn a thing or two about communication. It's like they spent so much time on machine readability that even their talks are optimized for machines.

Trying to get a handle on #OSCAL and I'm having the same problem I always have with #STIX: the use cases, even if phrased as user stories are so high level to be meaningless, and every presentation seems to dive into minutae that in no way relates to any kind of day-to-day activity.

It's mind boggling.

There's also the "java/xml? if it was 15 years ago and still at a more enterprisey org, then sure let's goooo", but not really relevant at any recent orgs anymore...

#infosec #grc

I had an #OSCAL epiphany this week.

Previously, I was attracted to:
- the (still embryonic) interoperability story, a lingua franca for tools in the #GRC/assessment space is obviously cool and useful
- the possibilities of security-documentation-as-code (though I'm somewhat bearish on the idea of that getting traction in my org).

Now, I finally grok the component model, and I think it's going to be transformative.

I'd love to hear from anyone out there who has integrated #NIST #OSCAL into their security program in any meaningful way https://pages.nist.gov/OSCAL/

For me the assessment (plans, and results) side of things is the most interesting part at the moment.