[Proposal] White Paper Compliance Use Cases

[hubbertsmith]

Description: Compliance Use Cases Whitepaper

Impact: This helps developers of compliance-related software understand how the code they develop will be used, by various personas.
This helps adopters of compliance-related software understand the roles and responsibilities of the various personas.

Scope:
https://docs.google.com/document/d/e/2PACX-1vRAYxHDwowAAT_Td55yEfA4NUN19KnkaTPGjlGYt0Ed3UD1Gd7nEvCNM0fbrfaI2Q/pub
to do --
[] add more authors
[] conduct reviews and edits required by Security TAG

Intent to lead:

• Hubbert Smith, volunteers to be a project lead on this proposal.
  The Compliance GRC group has expressed interested in pursing this work.

Proposal to Project:

• Added to the planned meeting template for mm dd
  so far this work done within Compliance WG
  https://docs.google.com/document/d/1z9xvt-Z97j4CtEH1-nR9sMWul7jQkUi_fNY7BdMPgxM/edit?tab=t.0#heading=h.3ypqt0obu6uy

• Raised in a Security TAG meeting to determine interest - mm dd
  Ready to make the request. just let me know when and where

• Collaborators comment on issue for determine interest and nominate project
  lead Hubbert Smith
  needs others

• Scope determined via meeting mm dd and/or shared document add link
  this has been discussed - https://cloud-native.slack.com/archives/C07RNHV3YE4
  but needs additional focus

• Scope presented to Security TAG leadership and Sponsor is assigned

TO DO

• Security TAG Leadership Representative:
• Project leader(s):
• Issue is assigned to project leaders and Security TAG Leadership
  Representative
• Project Members:
• Fill in addition TODO items here so the project team and community can
  see progress!
• Scope
• Deliverable(s)
• Project Schedule
• Slack Channel (as needed)
• Meeting Time & Day:
• Meeting Notes (link)
• Meeting Details (zoom or hangouts link)
• Retrospective

[sunstonesecure-robert]

I have reviewed and think it has important points. Since it notes that the top breach vectors are Credential related, I would suggest reviewing with relevant CNCF projects contribute examples of how these are mitigated would underline the CNCF contributions to solving these challenges. For example KeyCloak, OPA, Cloud custodian, certmanager, many others...and given that it has a lot of content on data breaches in particular, maybe some of the more data lifecycle projects are relevant and could chime in with examples/best practices, eg. etcd, tikv, rook, Kubeflow, many others...

The Compliance GRC group has expressed interested in pursing this work.

I believe several participants have reviewed the paper. I would definitely like to see some of the above examples presented at the GRC WG calls and can help coordinate!

overall huge +1 to moving foward!