ProficientNowTechRFCs
Platform RFCs/RFC-TENANT-SECURITY-0001: Tenant Application Security Architecture

2. Requirements

RFC-TENANT-SECURITY-0001                                         Section 2
Category: Standards Track                                     Requirements

2. Requirements

← Introduction | Index | Next: Architecture →

2.1 Design Goals

2.1.1 Primary Goals

GoalDescription
Defense in DepthMultiple independent security layers such that compromise of one layer does not compromise the system
Zero Trust PostureNo implicit trust; all traffic must be explicitly authorized
OWASP ProtectionMitigate OWASP Top 10 and API Security Top 10 risks at the network layer
Tenant IsolationPrevent cross-tenant communication unless explicitly permitted
Operational SimplicityCentralized management with minimal operational burden

2.1.2 Secondary Goals

GoalDescription
GitOps NativeAll security policies defined in version control
ObservableSecurity events integrated with monitoring and alerting
AuditableControls documented for compliance requirements
ExtensibleArchitecture accommodates future security capabilities

2.2 Non-Goals

Non-GoalRationaleAlternative
Application-level authorizationBusiness logic belongs in applicationsRFC-IAM-0001 provides patterns
Service-to-service authenticationEast-West traffic handled separatelyRFC-WORKLOAD-IDENTITY
Secret managementSecrets have dedicated architectureRFC-SECOPS-0001
DDoS mitigation at network layerRequires infrastructure-level controlsCloud provider or CDN
Content inspection beyond HTTPDeep packet inspection out of scopeSpecialized tools if required

2.3 Architectural Invariants

Invariants are rules that MUST always hold true. Violation of an invariant indicates a system failure or misconfiguration.

2.3.1 Traffic Protection Invariants

Invariant 1 — WAF Coverage

All external HTTP and HTTPS traffic MUST pass through the Web Application Firewall before reaching application workloads. Traffic that bypasses the WAF MUST NOT reach applications.

AspectRequirement
ScopeAll ingress HTTP/HTTPS traffic
EnforcementIngress architecture
Violation ImpactApplications exposed to unfiltered attacks

Invariant 2 — TLS Minimum Version

All public endpoints MUST use TLS 1.2 or higher. TLS 1.0 and TLS 1.1 MUST NOT be accepted for any public-facing service.

AspectRequirement
ScopeAll public endpoints
EnforcementIngress TLS configuration
Violation ImpactCryptographic weakness exposure

Invariant 3 — Certificate Automation

Certificate provisioning for production endpoints MUST be automated. Manual certificate installation MUST NOT be used for production endpoints.

AspectRequirement
ScopeProduction TLS certificates
Enforcementcert-manager automation
Violation ImpactCertificate expiry incidents

Invariant 4 — WAF Detection Before Enforcement

New WAF rule sets MUST operate in detection mode before enforcement mode is enabled. Direct deployment to enforcement mode MUST NOT occur without a detection period.

AspectRequirement
ScopeWAF rule deployment
EnforcementOperational procedure
Violation ImpactFalse positive outages

2.3.2 Network Policy Invariants

Invariant 5 — Default Deny Ingress

All tenant namespaces MUST have a default-deny ingress network policy. Traffic to pods MUST be explicitly allowed; implicit allow MUST NOT exist.

AspectRequirement
ScopeAll tenant namespaces
EnforcementNetworkPolicy resources
Violation ImpactUnauthorized access possible

Invariant 6 — Explicit Cross-Namespace Authorization

Cross-namespace traffic MUST be explicitly authorized through network policies. Implicit cross-namespace access MUST NOT exist.

AspectRequirement
ScopeAll namespace boundaries
EnforcementNetworkPolicy resources
Violation ImpactLateral movement possible

Invariant 7 — Controlled Egress

Egress to the public internet from tenant namespaces MUST be controlled. Unrestricted egress MUST NOT be permitted from tenant workloads.

AspectRequirement
ScopeTenant namespace egress
EnforcementNetworkPolicy resources
Violation ImpactData exfiltration paths

Invariant 8 — Guardrail Policy Precedence

Platform guardrail policies MUST NOT be overridable by tenant-level policies. Guardrails MUST take precedence over tenant policies.

AspectRequirement
ScopePlatform security policies
EnforcementPolicy hierarchy
Violation ImpactSecurity bypass

2.3.3 Observability Invariants

Invariant 9 — Blocked Request Logging

All blocked requests MUST be logged with sufficient context for incident response. Context MUST include source IP, target, rule triggered, and timestamp.

AspectRequirement
ScopeWAF and network policy blocks
EnforcementLogging configuration
Violation ImpactIncident response hindered

Invariant 10 — Network Flow Observability

Network flow data MUST be observable for troubleshooting and audit purposes. Flow logs MUST be available for security analysis.

AspectRequirement
ScopeAll cluster network traffic
EnforcementCNI observability features
Violation ImpactTroubleshooting blind spots

Invariant 11 — Monitoring Integration

WAF security events MUST be integrated with the platform monitoring and alerting system. Critical security events MUST trigger alerts.

AspectRequirement
ScopeWAF security events
EnforcementMonitoring integration
Violation ImpactDelayed incident detection

2.3.4 GitOps Invariants

Invariant 12 — Policy Version Control

Network policy definitions MUST be stored in Git and applied via GitOps. Manual policy creation outside Git MUST NOT be used for production.

AspectRequirement
ScopeAll network policies
EnforcementGitOps workflow
Violation ImpactConfiguration drift, audit gaps

Invariant 13 — WAF Rule Version Control

WAF rule customizations MUST be version controlled. Ad-hoc rule changes MUST NOT be made outside version control.

AspectRequirement
ScopeWAF rule customizations
EnforcementGitOps workflow
Violation ImpactUntracked security changes

Invariant 14 — Automated Secret Management

TLS secrets MUST be managed via automated systems (cert-manager or ESO). Manual secret creation MUST NOT be used for TLS certificates.

AspectRequirement
ScopeTLS certificate secrets
EnforcementAutomation tooling
Violation ImpactSecret sprawl, expiry incidents

2.4 Invariant Summary

IDCategoryStatement
INV-1TrafficAll external HTTP/HTTPS traffic MUST pass through WAF
INV-2TrafficAll public endpoints MUST use TLS 1.2+
INV-3TrafficCertificate provisioning MUST be automated
INV-4TrafficWAF rules MUST operate in detection before enforcement
INV-5NetworkAll tenant namespaces MUST have default-deny ingress
INV-6NetworkCross-namespace traffic MUST be explicitly authorized
INV-7NetworkEgress to internet MUST be controlled
INV-8NetworkPlatform guardrails MUST NOT be overridable
INV-9ObservabilityAll blocked requests MUST be logged
INV-10ObservabilityNetwork flows MUST be observable
INV-11ObservabilityWAF events MUST integrate with monitoring
INV-12GitOpsNetwork policies MUST be in Git
INV-13GitOpsWAF customizations MUST be version controlled
INV-14GitOpsTLS secrets MUST be automated

2.5 Success Criteria

2.5.1 Security Criteria

CriterionMeasurement
OWASP Top 10 coverageWAF blocks all standard OWASP test payloads
Zero trust enforcementNo implicit allow policies exist
Tenant isolationCross-namespace probes fail by default
Bot mitigationChallenge mechanisms activate for suspicious traffic

2.5.2 Operational Criteria

CriterionMeasurement
Certificate automationZero manual certificate operations
Policy driftGit state matches cluster state
Alert coverageCritical events trigger notifications
Recovery timeWAF mode can be toggled within defined threshold

2.5.3 Compliance Criteria

CriterionMeasurement
SOC 2 CC6.6WAF controls documented
PCI DSS 6.6WAF implementation evidence
ISO 27001 A.13.1Network segmentation documentation

Document Navigation

PreviousIndexNext
← 1. IntroductionTable of Contents3. Architecture →

End of Section 2

Next

1. Introduction

Next

3. Architecture

On this page