Releasing Version 1.2 of CSAP Parts 1 to 3

Posted on October 19, 2022
CSAP implementors’ comments improve CSAP
Today we are releasing updates to the following parts of the Common Security Architecture for Production (CSAP):

  • CSAP Part 1: Architecture (v1.2)
  • CSAP Part 2: Interfaces (v1.2)
  • CSAP Part 3: Security Levels (v1.2)

These new versions come in response to comments from those organizations actively implementing CSAP in their workflows and systems. You talked, we listened!

We have changed how the architecture of the core security components is described and redistributed some of the functions.

We have also changed the term “Authorization Policy” (formerly known as “Dynamic Security Policy”) to “Authorization R.” In the revised CSAP architecture, the Policy Manager is collapsed into the Authorization Service and all the steps of Authorization Rule creation, including the validation against global security policies (those that come from, for example, an enterprise level and include the current security stance) happen within the Authorization Service. The Authorization Rules are then sent to the Authorization Rules Distribution Service which manages distribution to the Policy Enforcement Points.

A CSAP policy is a statement defining what is authorized or what must be denied, a CSAP rule describes a policy in a form understandable by the policy enforcement point to which it is directed. A policy template is the means to convert a policy into a rule and is often specific to the technology of the policy enforcement point.

Here is how v1.0 looked:

Version 1.2 update of CSAP Parts 1 to 3: Figure 1

And this is v1.2:

Version 1.2 update of CSAP Parts 1 to 3: Figure 2

The Authorization Rule is created using input from the same sources, but by moving the function of the policy service into the Authorization Service, implementation is simplified because the reconciliation of the Authorization Policy request and the global security policies happens as part of the Authorization Rule creation process rather than downstream.

We have also on CSAP delegation, describing how CSAP can be used across different organizations, each with a different level of security management autonomy.

Download CSAP Parts 1-3 v1.2 to see the updates in more detail, and you will also be able to read the expansion of Part 3 Security Levels, which adds detail to the levels and adds a section on automation.

We’ll continue to iterate CSAP with your input, so please continue to give us feedback as you learn and deploy.

You May Also Like…

Zero Trust and Protecting Cloud Production

Zero Trust and Protecting Cloud Production

Spencer Stephens delves into the perfect storm of challenges surrounding Production Security amidst a convergence of factors, such as the migration of production to cloud environments, the intricate nature of safeguarding cloud infrastructure, and the persistent rise in cybersecurity incidents despite advancements in defensive technologies.