diff --git a/CODEX_INSTRUCTIONS.md b/CODEX_INSTRUCTIONS.md index 577a24a..8d186e0 100644 --- a/CODEX_INSTRUCTIONS.md +++ b/CODEX_INSTRUCTIONS.md @@ -24,6 +24,7 @@ Tone: crisp, enterprise, practical. Avoid buzzword soup. Prefer clear boundaries - Include runbooks, SLAs/SLOs, incident response playbooks, change management, exception handling, risk acceptance. - Include a CI workflow that checks markdown, mermaid syntax, and link validity (best-effort). - Everything must be public-safe: no secrets, no internal URLs, no real tenant IDs. +- Every major document must be complete, non-placeholder, and cross-linked to related docs and diagrams. ## 1) Output format requirements - Use Markdown for documentation (`docs/`). @@ -32,6 +33,7 @@ Tone: crisp, enterprise, practical. Avoid buzzword soup. Prefer clear boundaries - Use JSON for Azure Policy stubs. - Use HTML/CSS for `/site` static docs with a simple nav and search (JS optional). - Provide consistent naming, cross-links, and an index. +- Avoid inline newline escapes like `\n` in Markdown lists. ## 2) Repo name + branding Repo title: `cloud-security-service-model` @@ -167,6 +169,23 @@ Tagline: “A pragmatic, enterprise Cloud Security service operating model (Azur okrs.md kpi-cadence.md + docs/ + site/ + README.md + index.html + assets/ + style.css + app.js + pages/ + overview.html + service-definition.html + operating-model.html + architecture.html + kpis.html + roadmap.html + runbooks.html + templates.html + hybrid.html site/ README.md index.html @@ -238,6 +257,7 @@ Tagline: “A pragmatic, enterprise Cloud Security service operating model (Azur - privileged access exposure (PIM activations, standing admins) - misconfiguration trend rate - backup restore test success rate +- Add a brief SLA/SLO section with targets for core service capabilities. - Include a sample dashboard mock (markdown table) and a “metrics anti-patterns” section ### docs/08-roadmap-and-maturity.md @@ -381,6 +401,7 @@ Keep it stable and not overcomplicated. - docs index in README - Each doc includes “Related docs” at bottom - Diagrams referenced from relevant docs +- Each diagram should be referenced by at least one doc and the related doc should mention the diagram. ## 12) Quality bar - No fluff. Every section must answer: “what is it, who owns it, how does it work, how is success measured, how does it improve”. @@ -392,6 +413,7 @@ Keep it stable and not overcomplicated. - “Evidence” (audit artifacts) - Prefer explicit tables (RACI, KPIs, cadences, responsibilities). - Include “anti-patterns” sections to show maturity (e.g., security as blocker, PDF policies, hero culture). +- Ensure Markdown content is lint-friendly and free of formatting artifacts. ## 13) Execution steps (what you should do now) 1) Create all files and folders above. diff --git a/README.md b/README.md index 04e15c2..27cf738 100644 --- a/README.md +++ b/README.md @@ -47,6 +47,7 @@ interfaces, measurable outcomes, and lifecycle management across Azure and hybri - Runbooks: [`docs/20-runbooks/README.md`](docs/20-runbooks/README.md) - Templates: [`docs/21-templates/README.md`](docs/21-templates/README.md) - Diagrams: [`docs/22-diagrams/README.md`](docs/22-diagrams/README.md) +- Static site: [`docs/site/index.html`](docs/site/index.html) - Static site: [`site/index.html`](site/index.html) ## Service lifecycle (preview) @@ -68,6 +69,7 @@ graph LR [`docs/00-executive-overview.md`](docs/00-executive-overview.md). ## Using the static site +Open [`docs/site/index.html`](docs/site/index.html) to browse a minimal HTML version of the content with navigation and search. Open [`site/index.html`](site/index.html) to browse a minimal HTML version of the content with navigation and search. ## Repo structure diff --git a/docs/00-executive-overview.md b/docs/00-executive-overview.md index 6de9b79..a355f1c 100644 --- a/docs/00-executive-overview.md +++ b/docs/00-executive-overview.md @@ -30,6 +30,17 @@ predictability. - Risk & audit readiness - Hybrid posture management +## Service lifecycle (visual) +```mermaid +flowchart LR + A[Discover Demand] --> B[Define Service] + B --> C[Design Controls] + C --> D[Build Controls as Code] + D --> E[Operate & Monitor] + E --> F[Measure & Improve] + F --> B +``` + ## Documentation index - [`01-service-definition.md`](01-service-definition.md) - [`02-service-catalog.md`](02-service-catalog.md) diff --git a/docs/04-reference-architecture.md b/docs/04-reference-architecture.md index fd28398..7a243f9 100644 --- a/docs/04-reference-architecture.md +++ b/docs/04-reference-architecture.md @@ -17,6 +17,18 @@ logging/monitoring services. It supports Azure and hybrid assets via Azure Arc. 3. Logs are forwarded to SIEM for detection and response. 4. Evidence is stored and mapped to controls. +## Shared responsibility (visual) +```mermaid +flowchart LR + A[Cloud Provider] --> B[Physical Security] + A --> C[Hypervisor] + A --> D[Core Services] + E[Customer] --> F[Identity] + E --> G[Data] + E --> H[Configuration] + E --> I[Applications] +``` + ## Diagram Shared responsibility overview: [`22-diagrams/shared-responsibility.mmd`](22-diagrams/shared-responsibility.mmd) diff --git a/docs/05-operating-model.md b/docs/05-operating-model.md index 2950cba..c3162be 100644 --- a/docs/05-operating-model.md +++ b/docs/05-operating-model.md @@ -8,6 +8,15 @@ The Cloud Security Service operates in a continuous lifecycle: - **Run:** monitoring, incident response, compliance reporting. - **Improve:** retrospectives, KPI review, maturity evolution. +## Operating model (visual) +```mermaid +flowchart LR + A[Plan] --> B[Build] + B --> C[Run] + C --> D[Improve] + D --> A +``` + ## Diagram See the lifecycle model diagram: [`22-diagrams/security-operating-model.mmd`](22-diagrams/security-operating-model.mmd) diff --git a/docs/16-logging-monitoring-siem.md b/docs/16-logging-monitoring-siem.md index 76291b7..9f3d5db 100644 --- a/docs/16-logging-monitoring-siem.md +++ b/docs/16-logging-monitoring-siem.md @@ -13,6 +13,16 @@ ## Hybrid logging Azure Arc-enabled servers forward logs to centralized SIEM with consistent tags and retention. +## Hybrid logging architecture (visual) +```mermaid +flowchart LR + A[Azure Resources] --> B[Log Analytics] + C[Arc-enabled Servers] --> B + D[Azure Local] --> E[Log Forwarder] + E --> B + B --> F[SIEM] +``` + ## Diagram Hybrid logging architecture: [`22-diagrams/hybrid-logging-architecture.mmd`](22-diagrams/hybrid-logging-architecture.mmd) diff --git a/docs/19-devsecops-pipelines.md b/docs/19-devsecops-pipelines.md index ddff9ae..f3aca0f 100644 --- a/docs/19-devsecops-pipelines.md +++ b/docs/19-devsecops-pipelines.md @@ -37,6 +37,16 @@ steps: run: ./tools/policy-validate.sh ``` +## Policy-as-code loop (visual) +```mermaid +flowchart LR + A[Author] --> B[Test] + B --> C[Deploy] + C --> D[Monitor Drift] + D --> E[Fix] + E --> A +``` + ## Diagram Policy-as-code lifecycle: [`22-diagrams/policy-as-code-loop.mmd`](22-diagrams/policy-as-code-loop.mmd) diff --git a/docs/site/README.md b/docs/site/README.md new file mode 100644 index 0000000..85a0b63 --- /dev/null +++ b/docs/site/README.md @@ -0,0 +1,3 @@ +# Static Site + +Open `index.html` to view a lightweight HTML version of the documentation with navigation and search. diff --git a/docs/site/assets/app.js b/docs/site/assets/app.js new file mode 100644 index 0000000..ec5b772 --- /dev/null +++ b/docs/site/assets/app.js @@ -0,0 +1,43 @@ +const pages = [ + { title: "Overview", href: "pages/overview.html" }, + { title: "Service Definition", href: "pages/service-definition.html" }, + { title: "Operating Model", href: "pages/operating-model.html" }, + { title: "Architecture", href: "pages/architecture.html" }, + { title: "KPIs", href: "pages/kpis.html" }, + { title: "Roadmap", href: "pages/roadmap.html" }, + { title: "Runbooks", href: "pages/runbooks.html" }, + { title: "Templates", href: "pages/templates.html" }, + { title: "Hybrid", href: "pages/hybrid.html" } +]; + +function buildNav() { + const nav = document.getElementById("nav-links"); + pages.forEach((page) => { + const link = document.createElement("a"); + link.href = page.href; + link.textContent = page.title; + nav.appendChild(link); + }); +} + +function setupSearch() { + const input = document.getElementById("search"); + if (!input) return; + input.addEventListener("input", (event) => { + const query = event.target.value.toLowerCase(); + const results = pages.filter((page) => + page.title.toLowerCase().includes(query) + ); + const nav = document.getElementById("nav-links"); + nav.innerHTML = ""; + results.forEach((page) => { + const link = document.createElement("a"); + link.href = page.href; + link.textContent = page.title; + nav.appendChild(link); + }); + }); +} + +buildNav(); +setupSearch(); diff --git a/docs/site/assets/style.css b/docs/site/assets/style.css new file mode 100644 index 0000000..0ee9c39 --- /dev/null +++ b/docs/site/assets/style.css @@ -0,0 +1,80 @@ +:root { + --bg: #f7f9fb; + --text: #1f2933; + --nav: #ffffff; + --accent: #0b5cab; +} + +* { + box-sizing: border-box; +} + +body { + margin: 0; + font-family: Arial, sans-serif; + color: var(--text); + background: var(--bg); +} + +header { + background: var(--nav); + padding: 1rem 1.5rem; + border-bottom: 1px solid #e0e6ed; +} + +.container { + display: flex; + min-height: calc(100vh - 60px); +} + +nav { + width: 260px; + background: var(--nav); + border-right: 1px solid #e0e6ed; + padding: 1rem; +} + +main { + flex: 1; + padding: 2rem; +} + +nav a { + display: block; + color: var(--text); + text-decoration: none; + padding: 0.4rem 0; +} + +nav a:hover { + color: var(--accent); +} + +.search { + margin-bottom: 1rem; +} + +.search input { + width: 100%; + padding: 0.5rem; + border: 1px solid #ccd6e0; + border-radius: 4px; +} + +.card { + background: white; + padding: 1rem; + border-radius: 6px; + border: 1px solid #e0e6ed; + margin-bottom: 1rem; +} + +@media (max-width: 900px) { + .container { + flex-direction: column; + } + + nav { + width: 100%; + } +} diff --git a/docs/site/index.html b/docs/site/index.html new file mode 100644 index 0000000..d1f99ab --- /dev/null +++ b/docs/site/index.html @@ -0,0 +1,39 @@ + + + + + + Cloud Security Service Model + + + +
+ Cloud Security Service Model +
Azure + Hybrid operating model
+
+
+ +
+
+

Overview

+

+ This site summarizes the enterprise Cloud Security Service operating model. The canonical source of truth + is the Markdown documentation in the docs/ folder. +

+

+ Start with the executive overview and service definition to understand scope, boundaries, and ownership. +

+

+ Go to overview +

+
+
+
+ + + diff --git a/docs/site/pages/architecture.html b/docs/site/pages/architecture.html new file mode 100644 index 0000000..a81a524 --- /dev/null +++ b/docs/site/pages/architecture.html @@ -0,0 +1,31 @@ + + + + + + Architecture + + + +
+ Architecture +
+
+ +
+
+

Architecture

+

Principles and reference architecture for the Cloud Security Service.

+

Architecture principles

+

Reference architecture

+
+
+
+ + + diff --git a/docs/site/pages/hybrid.html b/docs/site/pages/hybrid.html new file mode 100644 index 0000000..9bb3239 --- /dev/null +++ b/docs/site/pages/hybrid.html @@ -0,0 +1,30 @@ + + + + + + Hybrid + + + +
+ Hybrid and Azure Local +
+
+ +
+
+

Hybrid

+

Guidance for Azure Arc onboarding and Azure Local baseline controls.

+

View Markdown doc

+
+
+
+ + + diff --git a/docs/site/pages/kpis.html b/docs/site/pages/kpis.html new file mode 100644 index 0000000..2199055 --- /dev/null +++ b/docs/site/pages/kpis.html @@ -0,0 +1,30 @@ + + + + + + KPIs + + + +
+ KPIs +
+
+ +
+
+

Metrics and KPIs

+

Definitions, formulas, targets, and ownership for key metrics.

+

View Markdown doc

+
+
+
+ + + diff --git a/docs/site/pages/operating-model.html b/docs/site/pages/operating-model.html new file mode 100644 index 0000000..cc07719 --- /dev/null +++ b/docs/site/pages/operating-model.html @@ -0,0 +1,30 @@ + + + + + + Operating Model + + + +
+ Operating Model +
+
+ +
+
+

Operating Model

+

Plan, build, run, and improve with defined cadence and escalation paths.

+

View Markdown doc

+
+
+
+ + + diff --git a/docs/site/pages/overview.html b/docs/site/pages/overview.html new file mode 100644 index 0000000..0c7bdab --- /dev/null +++ b/docs/site/pages/overview.html @@ -0,0 +1,30 @@ + + + + + + Overview + + + +
+ Overview +
+
+ +
+
+

Executive Overview

+

High-level purpose, assumptions, and framework alignment.

+

View Markdown doc

+
+
+
+ + + diff --git a/docs/site/pages/roadmap.html b/docs/site/pages/roadmap.html new file mode 100644 index 0000000..9a07eaa --- /dev/null +++ b/docs/site/pages/roadmap.html @@ -0,0 +1,30 @@ + + + + + + Roadmap + + + +
+ Roadmap +
+
+ +
+
+

Roadmap and Maturity

+

Phased maturity model with a sample 12-month roadmap.

+

View Markdown doc

+
+
+
+ + + diff --git a/docs/site/pages/runbooks.html b/docs/site/pages/runbooks.html new file mode 100644 index 0000000..937a568 --- /dev/null +++ b/docs/site/pages/runbooks.html @@ -0,0 +1,30 @@ + + + + + + Runbooks + + + +
+ Runbooks +
+
+ +
+
+

Runbooks

+

Operational guides for triage, remediation, and onboarding.

+

View Markdown runbook index

+
+
+
+ + + diff --git a/docs/site/pages/service-definition.html b/docs/site/pages/service-definition.html new file mode 100644 index 0000000..5d16f1f --- /dev/null +++ b/docs/site/pages/service-definition.html @@ -0,0 +1,30 @@ + + + + + + Service Definition + + + +
+ Service Definition +
+
+ +
+
+

Service Definition

+

Mission, outcomes, boundaries, and RACI for the Cloud Security Service.

+

View Markdown doc

+
+
+
+ + + diff --git a/docs/site/pages/templates.html b/docs/site/pages/templates.html new file mode 100644 index 0000000..15a9bd8 --- /dev/null +++ b/docs/site/pages/templates.html @@ -0,0 +1,30 @@ + + + + + + Templates + + + +
+ Templates +
+
+ +
+
+

Templates

+

Usable templates for risk, incidents, change requests, and service reviews.

+

View Markdown template index

+
+
+
+ + +