Policy Tiers and Tier Selection Guide

This guide helps you choose the right KafkaGuard policy tier for your environment and understand the differences between available policy options.

Table of Contents

Policy Tier Overview

KafkaGuard provides three policy tiers designed for different environments and compliance requirements:

TierControlsFocusBest ForFile Location
baseline-dev20Reliability + OperationsDevelopment, testingpolicies/baseline-dev.yaml
enterprise-default40Security + Reliability + OperationsProduction, enterprisepolicies/enterprise-default.yaml
finance-iso50Advanced ComplianceRegulated industries (Enterprise)policies/finance-iso.yaml

Key Differentiators:

  • Control Count: More controls = stricter compliance
  • Security Focus: Baseline has no security controls, others add security requirements
  • Compliance Mapping: Enterprise and Finance tiers include PCI-DSS, SOC2, ISO 27001 mappings
  • Remediation Depth: Higher tiers provide more detailed remediation guidance

Tier Decision Framework

Choose your policy tier based on these key factors:

Primary Decision Factors

  1. Environment Type (Development vs. Production)
  2. Data Sensitivity (Internal vs. Customer data)
  3. Compliance Requirements (None vs. PCI-DSS/SOC2/ISO 27001)
  4. Security Posture (Basic vs. Enterprise-grade)

Decision Flow Chart

┌─────────────────────────┐
│   Is this production?   │
└─────────┬───────────────┘
          │
          ▼
┌─────────────────────────┐    NO     ┌─────────────────────┐
│ Handle customer data?   ├──────────►│   baseline-dev      │
│ or PII?                 │           │   (20 controls)     │
└─────────┬───────────────┘           └─────────────────────┘
          │
          ▼
┌─────────────────────────┐    NO     ┌─────────────────────┐
│ Regulated industry?     ├──────────►│ enterprise-default  │
│ (Finance, Healthcare,   │           │   (40 controls)     │
│ Government)             │           └─────────────────────┘
└─────────┬───────────────┘
          │
          ▼
          │ YES
          ▼
    ┌─────────────────────┐
    │   finance-iso       │
    │   (50 controls)     │
    └─────────────────────┘

Tier Comparison Matrix

Use this matrix to compare policy tiers across key dimensions:

Criteriabaseline-deventerprise-defaultfinance-iso (Enterprise)
EnvironmentDev, Sandbox, TestProduction, StagingProduction (Regulated)
Security ProtocolPLAINTEXT, SSLSASL_SSL (required)SASL_SSL + mTLS
AuthenticationOptionalSASL requiredSASL + mTLS required
Compliance NeedsNonePCI-DSS, SOC2, ISO 27001PCI-DSS Level 1, HIPAA, ISO 27001 certified
Data SensitivityLow (internal only)Medium-High (customer data)High (PII, PHI, financial data)
Audit RequirementsNoneStandard auditsRegulatory audits + certifications
Control Count204050
Security Controls01525
Reliability Controls81212
Operational Controls121313
Scan Duration~8 seconds~10 seconds~12 seconds
File Locationpolicies/baseline-dev.yamlpolicies/enterprise-default.yamlpolicies/finance-iso.yaml

Control Distribution Breakdown

Control Categorybaseline-deventerprise-defaultfinance-iso (Enterprise)Description
Security01525SASL, SSL/TLS, ACLs, encryption
Reliability81212Replication, ISR, ZooKeeper quorum
Operational121313Configuration, retention, threading
Compliance000Framework-specific requirements
Total204050All categories combined

Policy Tier Details

baseline-dev (20 Controls)

Focus: Reliability and operational checks for development environments Best For: Development clusters, sandboxes, testing environments Security Level: None (no security controls)

Control Categories

  • Reliability Controls (8): Replication factors, ISR validation, ZooKeeper quorum, broker versions, partition balance, under-replicated partitions, offline partitions
  • Operational Controls (12): Auto-create topics, log directories, retention policies, thread configurations, compression settings, quotas

Example Controls

Control IDTitleSeverityCategory
KG-016Minimum replication factor ≥3MEDIUMreliability
KG-017In-Sync Replicas (ISR) ≥2MEDIUMreliability
KG-019ZooKeeper quorum odd (3+)MEDIUMreliability
KG-028Auto-create topics disabledMEDIUMoperational
KG-031Compression type configuredMEDIUMoperational

Sample Scan Commands

Development Cluster:

# Basic scan with PLAINTEXT
kafkaguard scan \
  --bootstrap localhost:9092 \
  --policy policies/baseline-dev.yaml \
  --format html,json \
  --out ./reports

Development with SSL:

# Development cluster with SSL encryption
kafkaguard scan \
  --bootstrap kafka-dev.example.com:9093 \
  --security-protocol SSL \
  --tls-ca-cert /path/to/ca-cert.pem \
  --policy policies/baseline-dev.yaml \
  --format html \
  --out ./reports

Expected Results:

  • ✅ 16-18 passed controls (typical for well-configured dev cluster)
  • ⚠️ 2-4 failed controls (configuration issues)
  • 🔵 0-1 N/A controls
  • 📊 Score: 80-90% (varies by cluster configuration)

enterprise-default (40 Controls)

Focus: Security, reliability, and operational validation for production environments Best For: Production clusters, enterprise environments, standard compliance Security Level: High (SASL_SSL required)

Control Categories

  • Security Controls (15): SASL authentication, SSL/TLS encryption, certificate validation, inter-broker encryption, ACLs
  • Reliability Controls (12): All baseline-dev reliability controls plus additional checks
  • Operational Controls (13): All baseline-dev operational controls plus additional validation

Additional Security Controls

Control IDTitleSeverityCategoryDescription
KG-001SASL authentication enabledHIGHsecurityRequires SASL for client connections
KG-002SSL/TLS enabledHIGHsecurityRequires TLS encryption
KG-003Inter-broker SSL enabledHIGHsecurityEncrypts broker-to-broker communication
KG-004SSL client authenticationHIGHsecurityRequires client certificates
KG-005TLS certificate expiry >30 daysHIGHsecurityValidates certificate expiration
KG-006TLS protocol ≥1.2HIGHsecurityEnforces modern TLS versions
KG-007SCRAM authentication enabledHIGHsecurityRequires SCRAM (not PLAIN)
KG-008ACLs enabledMEDIUMsecurityRequires ACL authorization
KG-009ACLs configuredMEDIUMsecurityValidates ACL rules exist
KG-010SASL/SCRAM SHA-512 preferredMEDIUMsecurityRecommends strongest SCRAM mechanism

Sample Scan Commands

Production SASL_SSL Scan:

# Production scan with SASL_SSL and SCRAM-SHA-512
export KAFKAGUARD_SASL_USERNAME="kafkaguard"
export KAFKAGUARD_SASL_PASSWORD="$(vault kv get -field=password secret/kafka/prod)"

kafkaguard scan \
  --bootstrap kafka1.prod:9095,kafka2.prod:9095,kafka3.prod:9095 \
  --security-protocol SASL_SSL \
  --sasl-mechanism SCRAM-SHA-512 \
  --tls-ca-cert /etc/kafkaguard/certs/ca.pem \
  --policy policies/enterprise-default.yaml \
  --format json,html,pdf \
  --out /var/reports/kafkaguard \
  --fail-on high \
  --timeout 600

Staging Environment Scan:

# Staging scan with environment variables
export KAFKAGUARD_SASL_USERNAME="kafkaguard-staging"
export KAFKAGUARD_SASL_PASSWORD="$(vault kv get -field=password secret/kafka/staging)"

kafkaguard scan \
  --bootstrap kafka-staging:9095 \
  --security-protocol SASL_SSL \
  --sasl-mechanism SCRAM-SHA-256 \
  --tls-ca-cert /etc/kafkaguard/certs/ca.pem \
  --policy policies/enterprise-default.yaml \
  --format json,html \
  --out ./reports/staging

Expected Results:

  • ✅ 32-38 passed controls (typical for compliant production cluster)
  • ❌ 2-8 failed controls (security/compliance gaps)
  • 🔵 0 N/A controls
  • 📊 Score: 80-95% (varies by security posture)

finance-iso (50 Controls)

Focus: Advanced compliance controls for regulated industries (Finance, Healthcare, PCI-DSS) Best For: Financial services, healthcare, government, highly regulated environments Security Level: Highest (SASL_SSL + mTLS required, audit logging, strict retention) File: policies/finance-iso.yaml Tier: Enterprise

This policy includes all 40 controls from enterprise-default plus 10 additional controls specifically targeting ISO 27001, PCI-DSS Level 1, HIPAA, SOC2, and GDPR requirements.

10 New Controls (KG-041 to KG-050)

Control IDTitleSeverityCategoryCompliance
KG-041Audit logging enabledHIGHsecurityPCI-DSS 10.1/10.2, ISO 27001 A.12.4
KG-042Log retention ≥90 daysMEDIUMsecurityPCI-DSS 10.7, SOC2 CC7.3
KG-043Encryption at rest configuredHIGHsecurityPCI-DSS 3.4/3.5, ISO 27001 A.10.1
KG-044Broker-to-broker mutual TLSHIGHsecurityPCI-DSS 4.1, ISO 27001 A.13.1
KG-045No deprecated TLS protocolsHIGHsecurityPCI-DSS 4.1, ISO 27001 A.13.1, HIPAA
KG-046Strong cipher suites onlyHIGHsecurityPCI-DSS 4.1, ISO 27001 A.10.1
KG-047ACL deny rules configuredMEDIUMsecurityISO 27001 A.9.4.1, SOC2 CC6.1
KG-048Admin access restricted (≤3 principals)HIGHsecuritySOC2 CC6.2/CC6.3, ISO 27001 A.9.2.3
KG-049Data retention policies enforcedMEDIUMsecurityPCI-DSS 3.1, GDPR Art. 5
KG-050Compliance metadata configuredLOWsecuritySOC2 CC7.1, GDPR Art. 30

Control Detail

KG-041 — Audit logging enabled Verifies authorizer.class.name is configured on all brokers. Without an authorizer, Kafka cannot log authorization decisions for security audits.

Remediation: authorizer.class.name=kafka.security.authorizer.AclAuthorizer

KG-042 — Log retention ≥90 days Checks log_retention_hours >= 2160 (90 days) on all brokers. PCI-DSS 10.7 requires audit logs be retained for at least one year with three months available online.

Remediation: log.retention.hours=2160 in server.properties

KG-043 — Encryption at rest configured Validates SSL is enabled and inter-broker encryption is active. Kafka has no native encryption at rest — this control enforces SSL as a proxy requirement alongside disk-level encryption guidance (LUKS/dm-crypt).

KG-044 — Broker-to-broker mutual TLS Requires inter_broker_protocol to be SSL or SASL_SSL. Ensures broker-to-broker communication is fully encrypted with certificate validation.

KG-045 — No deprecated TLS protocols Checks all TLS connections use TLSv1.2 or TLSv1.3 only. Rejects TLS 1.0 and 1.1 which are deprecated per PCI-DSS 4.1 and NIST SP 800-52r2.

KG-046 — Strong cipher suites only Enforces TLS 1.2/1.3 protocol versions, which mandate strong cipher suites by specification. TLS 1.3 eliminates all weak ciphers automatically.

KG-047 — ACL deny rules configured Verifies at least one explicit Deny ACL rule exists for defense-in-depth. Explicit deny rules prevent privilege escalation when broad allow rules exist.

KG-048 — Admin access restricted Limits the number of ACLs with All operation to 3 or fewer. Enforces least-privilege for cluster administrators.

KG-049 — Data retention policies enforced Verifies topic retention_ms is between 1 hour (3,600,000ms) and 90 days (7,776,000,000ms). Topics with infinite or zero retention indicate unmanaged data lifecycle.

KG-050 — Compliance metadata configured Passes by default — serves as a reminder checklist item to classify sensitive topics with compliance metadata (compliance.classification=pii).

Sample Scan Command

# Finance/regulated environment scan
export KAFKAGUARD_SASL_USERNAME="kafkaguard-finance"
export KAFKAGUARD_SASL_PASSWORD="$(vault kv get -field=password secret/kafka/finance)"

kafkaguard scan \
  --bootstrap kafka-finance.prod:9095 \
  --security-protocol SASL_SSL \
  --sasl-mechanism SCRAM-SHA-512 \
  --tls-ca-cert /etc/kafkaguard/certs/ca.pem \
  --policy policies/finance-iso.yaml \
  --format json,html \
  --out /var/reports/kafkaguard/finance \
  --fail-on medium \
  --upload http://dashboard:3001

Expected Results (secure regulated cluster):

  • 45-48 passed controls (typical for compliant finance cluster)
  • 2-5 failed controls (environment-specific gaps)
  • Score: 88-96%

Expected Results (development cluster, PLAINTEXT):

  • 31 passed / 19 failed (score ~57.8% — expected, dev cluster lacks security hardening)
  • All reliability and operational controls pass
  • Security controls fail as expected on unsecured cluster

Tier Selection Checklist

Use this checklist to select the appropriate policy tier:

Environment Assessment

  • Development/Sandbox? → Use baseline-dev
  • Production with customer data? → Use enterprise-default
  • Regulated industry (finance/healthcare/gov)? → Use finance-iso (50 controls)
  • Internal testing only? → Use baseline-dev
  • CI/CD integration? → Use enterprise-default for production-like scanning

Security Requirements

  • SASL authentication required? → Use enterprise-default or higher
  • SSL/TLS encryption required? → Use enterprise-default or higher
  • Mutual TLS required? → Use finance-iso (Enterprise)
  • Certificate validation needed? → Use enterprise-default or higher

Compliance Requirements

  • PCI-DSS compliance needed? → Use enterprise-default or higher
  • SOC2 Trust Service Criteria? → Use enterprise-default or higher
  • ISO 27001 alignment? → Use enterprise-default or higher
  • HIPAA/HITECH? → Use finance-iso (Enterprise)
  • Regulatory audits? → Use enterprise-default or higher

Operational Considerations

  • Scan performance critical?baseline-dev is fastest (~8 seconds)
  • Detailed remediation needed? → Higher tiers provide more guidance
  • Custom controls required? → Create custom policy based on appropriate tier
  • Team size and resources? → Higher tiers require more security expertise

Decision Matrix

Environment TypeData SensitivityCompliance LevelRecommended Tier
DevelopmentLow (internal)Nonebaseline-dev
StagingMediumBasicenterprise-default
ProductionHigh (customer)Standard (PCI/SOC2/ISO)enterprise-default
ProductionHigh (PII/PHI)Advanced (HIPAA/regulatory)finance-iso (Enterprise)

Quick Tier Selection Commands

Development Environment

# Quick dev scan
kafkaguard scan --bootstrap localhost:9092

# Dev with custom output
kafkaguard scan \
  --bootstrap localhost:9092 \
  --policy policies/baseline-dev.yaml \
  --format html \
  --out ./dev-reports

Production Environment

# Production scan with security
export KAFKAGUARD_SASL_USERNAME="kafkaguard"
export KAFKAGUARD_SASL_PASSWORD="$(vault kv get -field=password secret/kafka/prod)"

kafkaguard scan \
  --bootstrap kafka-prod:9095 \
  --security-protocol SASL_SSL \
  --sasl-mechanism SCRAM-SHA-512 \
  --tls-ca-cert /etc/kafkaguard/certs/ca.pem \
  --policy policies/enterprise-default.yaml \
  --format json,html,pdf \
  --out /var/reports/kafkaguard

CI/CD Pipeline

# CI/CD scan with appropriate tier
if [ "$ENVIRONMENT" = "production" ]; then
  POLICY="policies/enterprise-default.yaml"
  FAIL_ON="high"
else
  POLICY="policies/baseline-dev.yaml"
  FAIL_ON="medium"
fi

kafkaguard scan \
  --bootstrap $KAFKA_BROKER \
  --policy $POLICY \
  --format json \
  --fail-on $FAIL_ON \
  --no-color

Multi-Environment Scanning

# Scan multiple environments with appropriate tiers
declare -A ENV_POLICIES=(
  ["dev"]="policies/baseline-dev.yaml"
  ["staging"]="policies/enterprise-default.yaml"
  ["prod"]="policies/enterprise-default.yaml"
)

for env in "${!ENV_POLICIES[@]}"; do
  echo "Scanning $env environment..."
  kafkaguard scan \
    --bootstrap "kafka-$env:9092" \
    --policy "${ENV_POLICIES[$env]}" \
    --format json \
    --out "./reports/$env"
done

Tier Transition Strategies

From baseline-dev to enterprise-default

When: Moving from development to production

# 1. Test enterprise policy in staging
kafkaguard scan \
  --bootstrap kafka-staging:9095 \
  --security-protocol SASL_SSL \
  --sasl-mechanism SCRAM-SHA-256 \
  --tls-ca-cert /path/to/ca-cert.pem \
  --policy policies/enterprise-default.yaml \
  --format html \
  --out ./transition-test

# 2. Address security gaps
# - Enable SASL authentication
# - Configure SSL/TLS certificates
# - Set up proper ACLs

# 3. Deploy to production
kafkaguard scan \
  --bootstrap kafka-prod:9095 \
  --security-protocol SASL_SSL \
  --sasl-mechanism SCRAM-SHA-512 \
  --tls-ca-cert /etc/kafkaguard/certs/ca.pem \
  --policy policies/enterprise-default.yaml \
  --format json,html,pdf \
  --out /var/reports/kafkaguard \
  --fail-on high

Custom Policy Development

When: Standard tiers don't meet specific requirements

# 1. Start with appropriate base tier
cp policies/enterprise-default.yaml policies/custom-org.yaml

# 2. Add custom controls (KG-051+)
# Edit policies/custom-org.yaml

# 3. Validate custom policy
kafkaguard validate-policy --policy policies/custom-org.yaml

# 4. Test against cluster
kafkaguard scan \
  --bootstrap kafka-test:9092 \
  --policy policies/custom-org.yaml \
  --format json

# 5. Deploy to production
kafkaguard scan \
  --bootstrap kafka-prod:9095 \
  --policy policies/custom-org.yaml \
  --format json,html,pdf \
  --out /var/reports/kafkaguard

Gradual Rollout Strategy

# Phase 1: Baseline monitoring (no failures)
kafkaguard scan \
  --bootstrap kafka:9092 \
  --policy policies/baseline-dev.yaml \
  --fail-on none \
  --format json,html

# Enterprise: Enterprise policy (warning only)
kafkaguard scan \
  --bootstrap kafka:9095 \
  --security-protocol SASL_SSL \
  --sasl-mechanism SCRAM-SHA-512 \
  --tls-ca-cert /etc/kafkaguard/certs/ca.pem \
  --policy policies/enterprise-default.yaml \
  --fail-on none \
  --format json,html

# Phase 3: Full enforcement
kafkaguard scan \
  --bootstrap kafka:9095 \
  --security-protocol SASL_SSL \
  --sasl-mechanism SCRAM-SHA-512 \
  --tls-ca-cert /etc/kafkaguard/certs/ca.pem \
  --policy policies/enterprise-default.yaml \
  --fail-on high \
  --format json,html,pdf

Next Steps

Document Information

  • Last Updated: 2026-04-10
  • Applies to Version: KafkaGuard 1.0.0+
  • Feedback: Open an issue for corrections or improvements