Policy Tiers and Tier Selection Guide
This guide helps you choose the right KafkaGuard policy tier for your environment and understand the differences between available policy options.
Table of Contents
- Policy Tier Overview
- Tier Decision Framework
- Tier Comparison Matrix
- Policy Tier Details
- Tier Selection Checklist
- Quick Tier Selection Commands
- Tier Transition Strategies
Policy Tier Overview
KafkaGuard provides three policy tiers designed for different environments and compliance requirements:
| Tier | Controls | Focus | Best For | File Location |
|---|---|---|---|---|
| baseline-dev | 20 | Reliability + Operations | Development, testing | policies/baseline-dev.yaml |
| enterprise-default | 40 | Security + Reliability + Operations | Production, enterprise | policies/enterprise-default.yaml |
| finance-iso | 50 | Advanced Compliance | Regulated industries (Phase 2) | policies/finance-iso.yaml |
Key Differentiators:
- Control Count: More controls = stricter compliance
- Security Focus: Baseline has no security controls, others add security requirements
- Compliance Mapping: Enterprise and Finance tiers include PCI-DSS, SOC2, ISO 27001 mappings
- Remediation Depth: Higher tiers provide more detailed remediation guidance
Tier Decision Framework
Choose your policy tier based on these key factors:
Primary Decision Factors
- Environment Type (Development vs. Production)
- Data Sensitivity (Internal vs. Customer data)
- Compliance Requirements (None vs. PCI-DSS/SOC2/ISO 27001)
- Security Posture (Basic vs. Enterprise-grade)
Decision Flow Chart
┌─────────────────────────┐
│ Is this production? │
└─────────┬───────────────┘
│
▼
┌─────────────────────────┐ NO ┌─────────────────────┐
│ Handle customer data? ├──────────►│ baseline-dev │
│ or PII? │ │ (20 controls) │
└─────────┬───────────────┘ └─────────────────────┘
│
▼
┌─────────────────────────┐ NO ┌─────────────────────┐
│ Regulated industry? ├──────────►│ enterprise-default │
│ (Finance, Healthcare, │ │ (40 controls) │
│ Government) │ └─────────────────────┘
└─────────┬───────────────┘
│
▼
┌─────────────────────────┐ YES ┌─────────────────────┐
│ Phase 2 available? ├──────────►│ finance-iso │
│ (Current: Phase 1) │ │ (50 controls) │
└─────────┬───────────────┘ └─────────────────────┘
│
▼
NO
┌─────────────────────┐
│ enterprise-default │
│ (40 controls) │
└─────────────────────┘
Tier Comparison Matrix
Use this matrix to compare policy tiers across key dimensions:
| Criteria | baseline-dev | enterprise-default | finance-iso (Phase 2) |
|---|---|---|---|
| Environment | Dev, Sandbox, Test | Production, Staging | Production (Regulated) |
| Security Protocol | PLAINTEXT, SSL | SASL_SSL (required) | SASL_SSL + mTLS |
| Authentication | Optional | SASL required | SASL + mTLS required |
| Compliance Needs | None | PCI-DSS, SOC2, ISO 27001 | PCI-DSS Level 1, HIPAA, ISO 27001 certified |
| Data Sensitivity | Low (internal only) | Medium-High (customer data) | High (PII, PHI, financial data) |
| Audit Requirements | None | Standard audits | Regulatory audits + certifications |
| Control Count | 20 | 40 | 50 |
| Security Controls | 0 | 15 | 25 |
| Reliability Controls | 8 | 12 | 12 |
| Operational Controls | 12 | 13 | 13 |
| Scan Duration | ~8 seconds | ~10 seconds | ~12 seconds |
| File Location | policies/baseline-dev.yaml | policies/enterprise-default.yaml | policies/finance-iso.yaml |
Control Distribution Breakdown
| Control Category | baseline-dev | enterprise-default | finance-iso (Phase 2) | Description |
|---|---|---|---|---|
| Security | 0 | 15 | 25 | SASL, SSL/TLS, ACLs, encryption |
| Reliability | 8 | 12 | 12 | Replication, ISR, ZooKeeper quorum |
| Operational | 12 | 13 | 13 | Configuration, retention, threading |
| Compliance | 0 | 0 | 0 | Framework-specific requirements |
| Total | 20 | 40 | 50 | All categories combined |
Policy Tier Details
baseline-dev (20 Controls)
Focus: Reliability and operational checks for development environments Best For: Development clusters, sandboxes, testing environments Security Level: None (no security controls)
Control Categories
- Reliability Controls (8): Replication factors, ISR validation, ZooKeeper quorum, broker versions, partition balance, under-replicated partitions, offline partitions
- Operational Controls (12): Auto-create topics, log directories, retention policies, thread configurations, compression settings, quotas
Example Controls
| Control ID | Title | Severity | Category |
|---|---|---|---|
| KG-016 | Minimum replication factor ≥3 | MEDIUM | reliability |
| KG-017 | In-Sync Replicas (ISR) ≥2 | MEDIUM | reliability |
| KG-019 | ZooKeeper quorum odd (3+) | MEDIUM | reliability |
| KG-028 | Auto-create topics disabled | MEDIUM | operational |
| KG-031 | Compression type configured | MEDIUM | operational |
Sample Scan Commands
Development Cluster:
# Basic scan with PLAINTEXT
kafkaguard scan \
--bootstrap localhost:9092 \
--policy policies/baseline-dev.yaml \
--format html,json \
--out ./reports
Development with SSL:
# Development cluster with SSL encryption
kafkaguard scan \
--bootstrap kafka-dev.example.com:9093 \
--security-protocol SSL \
--tls-ca-cert /path/to/ca-cert.pem \
--policy policies/baseline-dev.yaml \
--format html \
--out ./reports
Expected Results:
- ✅ 16-18 passed controls (typical for well-configured dev cluster)
- ⚠️ 2-4 failed controls (configuration issues)
- 🔵 0-1 N/A controls
- 📊 Score: 80-90% (varies by cluster configuration)
enterprise-default (40 Controls)
Focus: Security, reliability, and operational validation for production environments Best For: Production clusters, enterprise environments, standard compliance Security Level: High (SASL_SSL required)
Control Categories
- Security Controls (15): SASL authentication, SSL/TLS encryption, certificate validation, inter-broker encryption, ACLs
- Reliability Controls (12): All baseline-dev reliability controls plus additional checks
- Operational Controls (13): All baseline-dev operational controls plus additional validation
Additional Security Controls
| Control ID | Title | Severity | Category | Description |
|---|---|---|---|---|
| KG-001 | SASL authentication enabled | HIGH | security | Requires SASL for client connections |
| KG-002 | SSL/TLS enabled | HIGH | security | Requires TLS encryption |
| KG-003 | Inter-broker SSL enabled | HIGH | security | Encrypts broker-to-broker communication |
| KG-004 | SSL client authentication | HIGH | security | Requires client certificates |
| KG-005 | TLS certificate expiry >30 days | HIGH | security | Validates certificate expiration |
| KG-006 | TLS protocol ≥1.2 | HIGH | security | Enforces modern TLS versions |
| KG-007 | SCRAM authentication enabled | HIGH | security | Requires SCRAM (not PLAIN) |
| KG-008 | ACLs enabled | MEDIUM | security | Requires ACL authorization |
| KG-009 | ACLs configured | MEDIUM | security | Validates ACL rules exist |
| KG-010 | SASL/SCRAM SHA-512 preferred | MEDIUM | security | Recommends strongest SCRAM mechanism |
Sample Scan Commands
Production SASL_SSL Scan:
# Production scan with SASL_SSL and SCRAM-SHA-512
export KAFKAGUARD_SASL_USERNAME="kafkaguard"
export KAFKAGUARD_SASL_PASSWORD="$(vault kv get -field=password secret/kafka/prod)"
kafkaguard scan \
--bootstrap kafka1.prod:9095,kafka2.prod:9095,kafka3.prod:9095 \
--security-protocol SASL_SSL \
--sasl-mechanism SCRAM-SHA-512 \
--tls-ca-cert /etc/kafkaguard/certs/ca.pem \
--policy policies/enterprise-default.yaml \
--format json,html,pdf \
--out /var/reports/kafkaguard \
--fail-on high \
--timeout 600
Staging Environment Scan:
# Staging scan with environment variables
export KAFKAGUARD_SASL_USERNAME="kafkaguard-staging"
export KAFKAGUARD_SASL_PASSWORD="$(vault kv get -field=password secret/kafka/staging)"
kafkaguard scan \
--bootstrap kafka-staging:9095 \
--security-protocol SASL_SSL \
--sasl-mechanism SCRAM-SHA-256 \
--tls-ca-cert /etc/kafkaguard/certs/ca.pem \
--policy policies/enterprise-default.yaml \
--format json,html \
--out ./reports/staging
Expected Results:
- ✅ 32-38 passed controls (typical for compliant production cluster)
- ❌ 2-8 failed controls (security/compliance gaps)
- 🔵 0 N/A controls
- 📊 Score: 80-95% (varies by security posture)
finance-iso (50 Controls - Phase 2)
Focus: Advanced compliance controls for regulated industries Best For: Financial services, healthcare, government, highly regulated environments Security Level: Highest (SASL_SSL + mTLS required)
Additional Controls (10 more beyond enterprise-default)
- Enhanced Security (5 controls): Mutual TLS requirements, strong cipher suites, privileged user auditing, encryption at rest validation
- Advanced Compliance (5 controls): 90+ day audit log retention, admin access restrictions, ISO 27001 specific mappings
Planned Additional Controls
| Control ID | Title | Severity | Category | Status |
|---|---|---|---|---|
| KG-041 | Audit logging retention >90 days | HIGH | compliance | Phase 2 |
| KG-042 | Mutual TLS required for all clients | HIGH | security | Phase 2 |
| KG-043 | Encryption at rest enabled | HIGH | security | Phase 2 |
| KG-044 | Strong cipher suites only | HIGH | security | Phase 2 |
| KG-045 | Admin access restrictions | HIGH | security | Phase 2 |
| KG-046 | Privileged user auditing | MEDIUM | security | Phase 2 |
| KG-047 | PCI-DSS Level 1 compliance | HIGH | compliance | Phase 2 |
| KG-048 | HIPAA data protection | HIGH | compliance | Phase 2 |
| KG-049 | ISO 27001 certification ready | HIGH | compliance | Phase 2 |
| KG-050 | Regulatory audit trail | MEDIUM | compliance | Phase 2 |
Status: Planned for Phase 2 (post-MVP). Currently, use enterprise-default.yaml for regulated environments.
Tier Selection Checklist
Use this checklist to select the appropriate policy tier:
Environment Assessment
- Development/Sandbox? → Use
baseline-dev - Production with customer data? → Use
enterprise-default - Regulated industry (finance/healthcare/gov)? → Use
enterprise-default(Phase 1) orfinance-iso(Phase 2) - Internal testing only? → Use
baseline-dev - CI/CD integration? → Use
enterprise-defaultfor production-like scanning
Security Requirements
- SASL authentication required? → Use
enterprise-defaultor higher - SSL/TLS encryption required? → Use
enterprise-defaultor higher - Mutual TLS required? → Use
finance-iso(Phase 2) - Certificate validation needed? → Use
enterprise-defaultor higher
Compliance Requirements
- PCI-DSS compliance needed? → Use
enterprise-defaultor higher - SOC2 Trust Service Criteria? → Use
enterprise-defaultor higher - ISO 27001 alignment? → Use
enterprise-defaultor higher - HIPAA/HITECH? → Use
finance-iso(Phase 2) - Regulatory audits? → Use
enterprise-defaultor higher
Operational Considerations
- Scan performance critical? →
baseline-devis fastest (~8 seconds) - Detailed remediation needed? → Higher tiers provide more guidance
- Custom controls required? → Create custom policy based on appropriate tier
- Team size and resources? → Higher tiers require more security expertise
Decision Matrix
| Environment Type | Data Sensitivity | Compliance Level | Recommended Tier |
|---|---|---|---|
| Development | Low (internal) | None | baseline-dev |
| Staging | Medium | Basic | enterprise-default |
| Production | High (customer) | Standard (PCI/SOC2/ISO) | enterprise-default |
| Production | High (PII/PHI) | Advanced (HIPAA/regulatory) | finance-iso (Phase 2) |
Quick Tier Selection Commands
Development Environment
# Quick dev scan
kafkaguard scan --bootstrap localhost:9092
# Dev with custom output
kafkaguard scan \
--bootstrap localhost:9092 \
--policy policies/baseline-dev.yaml \
--format html \
--out ./dev-reports
Production Environment
# Production scan with security
export KAFKAGUARD_SASL_USERNAME="kafkaguard"
export KAFKAGUARD_SASL_PASSWORD="$(vault kv get -field=password secret/kafka/prod)"
kafkaguard scan \
--bootstrap kafka-prod:9095 \
--security-protocol SASL_SSL \
--sasl-mechanism SCRAM-SHA-512 \
--tls-ca-cert /etc/kafkaguard/certs/ca.pem \
--policy policies/enterprise-default.yaml \
--format json,html,pdf \
--out /var/reports/kafkaguard
CI/CD Pipeline
# CI/CD scan with appropriate tier
if [ "$ENVIRONMENT" = "production" ]; then
POLICY="policies/enterprise-default.yaml"
FAIL_ON="high"
else
POLICY="policies/baseline-dev.yaml"
FAIL_ON="medium"
fi
kafkaguard scan \
--bootstrap $KAFKA_BROKER \
--policy $POLICY \
--format json \
--fail-on $FAIL_ON \
--no-color
Multi-Environment Scanning
# Scan multiple environments with appropriate tiers
declare -A ENV_POLICIES=(
["dev"]="policies/baseline-dev.yaml"
["staging"]="policies/enterprise-default.yaml"
["prod"]="policies/enterprise-default.yaml"
)
for env in "${!ENV_POLICIES[@]}"; do
echo "Scanning $env environment..."
kafkaguard scan \
--bootstrap "kafka-$env:9092" \
--policy "${ENV_POLICIES[$env]}" \
--format json \
--out "./reports/$env"
done
Tier Transition Strategies
From baseline-dev to enterprise-default
When: Moving from development to production
# 1. Test enterprise policy in staging
kafkaguard scan \
--bootstrap kafka-staging:9095 \
--security-protocol SASL_SSL \
--sasl-mechanism SCRAM-SHA-256 \
--tls-ca-cert /path/to/ca-cert.pem \
--policy policies/enterprise-default.yaml \
--format html \
--out ./transition-test
# 2. Address security gaps
# - Enable SASL authentication
# - Configure SSL/TLS certificates
# - Set up proper ACLs
# 3. Deploy to production
kafkaguard scan \
--bootstrap kafka-prod:9095 \
--security-protocol SASL_SSL \
--sasl-mechanism SCRAM-SHA-512 \
--tls-ca-cert /etc/kafkaguard/certs/ca.pem \
--policy policies/enterprise-default.yaml \
--format json,html,pdf \
--out /var/reports/kafkaguard \
--fail-on high
Custom Policy Development
When: Standard tiers don't meet specific requirements
# 1. Start with appropriate base tier
cp policies/enterprise-default.yaml policies/custom-org.yaml
# 2. Add custom controls (KG-051+)
# Edit policies/custom-org.yaml
# 3. Validate custom policy
kafkaguard validate-policy --policy policies/custom-org.yaml
# 4. Test against cluster
kafkaguard scan \
--bootstrap kafka-test:9092 \
--policy policies/custom-org.yaml \
--format json
# 5. Deploy to production
kafkaguard scan \
--bootstrap kafka-prod:9095 \
--policy policies/custom-org.yaml \
--format json,html,pdf \
--out /var/reports/kafkaguard
Gradual Rollout Strategy
# Phase 1: Baseline monitoring (no failures)
kafkaguard scan \
--bootstrap kafka:9092 \
--policy policies/baseline-dev.yaml \
--fail-on none \
--format json,html
# Phase 2: Enterprise policy (warning only)
kafkaguard scan \
--bootstrap kafka:9095 \
--security-protocol SASL_SSL \
--sasl-mechanism SCRAM-SHA-512 \
--tls-ca-cert /etc/kafkaguard/certs/ca.pem \
--policy policies/enterprise-default.yaml \
--fail-on none \
--format json,html
# Phase 3: Full enforcement
kafkaguard scan \
--bootstrap kafka:9095 \
--security-protocol SASL_SSL \
--sasl-mechanism SCRAM-SHA-512 \
--tls-ca-cert /etc/kafkaguard/certs/ca.pem \
--policy policies/enterprise-default.yaml \
--fail-on high \
--format json,html,pdf
Next Steps
- Policy Creation Guide - Learn how to customize policies for your requirements
- CLI Reference - Command-line options for policy scanning
- Configuration Guide - Configure KafkaGuard for different environments
Document Information
- Last Updated: 2025-11-15
- Applies to Version: KafkaGuard 1.0.0+
- Feedback: Open an issue for corrections or improvements