[Mar25-CNCF-Madison] Proactive Security at Scale

Transcript

1. Proactive Security at Scale Embracing CNCF’s Cloud Native Security Principles

   Ryan Etten Senior Architect, Red Hat Cloud Native Madison Organizer Derek Walker Senior Architect, Red Hat

2. Today’s Agenda CNCF Code of Conduct Community Group Intros Cloud

   Native Security Overview Security Lifecycle & Core Principles Tools & Recommendations Q&A

3. CNCF Code of Conduct We abide by the CNCF Code

   of Conduct, which ensures an inclusive and respectful environment. Please help us keep our community safe and welcoming. If you face or witness any uncomfortable conduct, reach out to local organizers or CNCF directly.

4. The CNCF Founded in 2015, the Cloud Native Computing Foundation

   supports vital open source projects (Kubernetes, Prometheus, Envoy, and more). They also host major conferences and empower local groups—like us—across the globe. We share the CNCF’s goal: building strong cloud-native communities.

5. Local community serving Madison, WI and surrounding areas Meetups, workshops,

   networking on cloud-native and Dev(Sec)Ops Alignment with CNCF principles Who We Are: Cloud Native Madison

6. Joining Cloud Native Madison is Easy! linktr.ee/cloud.native.madison Join our Slack,

   find our new company page on LinkedIn, Join our Cloud Native Community Group on CNCF, and follow our CFP process to submit your ideas and talks to help grow this community. Stay tuned for much more to come!

7. Our Pillars for 2025: Chat, Circle, Connect Chat Biweekly community

   “office hours” → quick convos and Q&A 2nd and 4th Fridays of Every Month Circle ⇐ WE ARE HERE! Monthly deep dives (today’s session) 3rd Thursday of Every Month Connect Quarterly large events for networking, workshops, etc.

8. Understanding (Secure) Cloud Native Cloud Native defined: Microservices, Containers, and

   Kubernetes-based Orchestration Focus: Speed, scalability, resilience, rapid software lifecycle Importance of shifting security left, embedding it into development from day one

9. Limitations of traditional perimeter-based security models Challenges of dynamic workloads

   Ephemeral containers, frequent updates, distributed architectures Increasing threat landscape Complexity necessitating adaptive security strategies The Necessity of Cloud Native Security

10. Cloud Native Security - Lifecycle Overview Four Phases: Develop, Distribute,

    Deploy, Runtime Highlighting Importance of holistic, continuous security integration
11. None

12. Security Practices in the Develop Phase Secure coding guidelines and

    patterns OWASP Top 10 Dependency vulnerability management SAST, DAST, SCA tools Integration of automated security checks into the CI pipeline Role of compliance checks CIS Benchmarks
13. None

14. Securing the Distribute Phase Protecting the Software Supply Chain Artifact

    verification via signing Sigstore, Notary Trusted container registries and image repositories Continuous scanning for vulnerabilities and policy enforcement during image build Mitigating supply-chain attacks: SBOM Software Bill of Materials
15. None

16. Deploy Phase Security Measures Ensuring secure configuration through Infrastructure as

    Code (IaC) validation Policy enforcement using Admission Controllers OPA/Gatekeeper Observability and monitoring for detecting misconfigurations prior to deployment Blue/Green deployments, Canary testing for secure releases
17. None

18. Runtime Phase Security Controls Real-time threat detection with cloud-native security

    tools Falco, runtime IDS/IPS (Stackrox) Network security policies and isolation through Kubernetes namespaces and cgroups Runtime anomaly detection using behavior analysis tools Implementation of Zero Trust via SPIFFE/SPIRE, mutual TLS (mTLS), service meshes
19. None

20. Defense-in-Depth: Multi-Layered Security Concept: multiple redundant layers to reduce single

    points of failure Examples of layers: container runtime security, network policies, identity/authentication layers Real-world application: combining Kubernetes security policies, container runtime monitoring, and cloud provider security groups

21. Core Security Principle: Secure Defaults Default settings of in-house and

    vended components within your ecosystem should provide a secure baseline i.e. a reasonably secure posture with the goal of no effort Selecting an insecure configuration is a conscious decision Secure defaults reduce cognitive load and decrease time to establish an initial secure baseline and to deploy to production secure by default is “secure by design”

22. Core Security Principle: Least Privilege Fundamental and universal principle for

    any security discipline - an isolation control minimizing attack surface and loss In cloud native no different; least privilege must be applied at every layer of the stack and to every component As applied to cloud native security, this includes rootless builds, minimizing privilege containers Mandatory Access Control (MAC) implementations (e.g. SELinux and AppArmor) and Seccomp in kubernetes can further limit the privileges and are enforced by the kernel

23. Core Security Principle: Organizational Security Roles & Culture Security must

    be integrated into every phase of the development lifecycle and is a cross-cutting concern so need security to be a 1st class citizen in all Cross-functional security collaboration and shared accountability is needed across Dev, Ops, Security teams (i.e., DevSecOps) Shift-left - developers need to embrace and recognize their role and address security at the start; secure by design The rest of the org - regular security training, awareness campaigns, and inclusion at all levels

24. Core Security Principle: GitOps and Security Automation Leverage GitOps (ArgoCD)

    for deployment automation, increased security posture, reduced human error, increased operational efficiency Manage security configurations and policies with GitOps through version-controlled repositories, making every change auditable and consistent Automate security functions (IaC): configuration (e.g. firewall rules), scanning and reporting, provisioning Automate Incident response — Security Orchestration, Automation, and Response (SOAR) = SIEM + automation

25. Core Security Principle: Zero Trust Architecture Explanation: "Never trust, always

    verify” every entity via cryptographic keys or tokens, chain of attestation Access to resources never assumed, identity and permissions verified at every step - lateral movement control Implementation examples: microsegmentation, mutual TLS, identity management (SPIFFE/SPIRE)

26. Security Assurance & Compliance Continuous assessment - regular security audits,

    automated scans, vulnerability assessments Continuous compliance as a part of DevSecOps practices Leverage cloud-specific compliance standards to increase security posture: CIS Benchmark for Kubernetes, NIST 800-53, NIST 800-190, NIST 800-218 (SSDF), CISA Secure-by-Design* Industry compliance standards apply to the cloud as well: PCI, HIPAA

27. Threat modelling is an aspect and technique of “secure-by-design” for

    both workloads and infrastructure Learn threat modeling techniques (STRIDE, MITRE ATT&CK, Attack Trees) Incident response process must be tailored for Cloud Native environments Refine future defenses through automation of responses, incident documentation, and post-mortem analysis Threat Modeling

28. Incident Response Requires observability and monitoring infrastructure to capture data

    and events based on an event-driven architecture Establish, prove and practise robust incident response plans and procedures based on threat modeling and risk assessments Automation of incident response (e.g. SOAR) to give a consistent effective response, reduce mean time to detect (MTTD) and mean time to respond (MTTR)

29. CNCF Security Landscape * Note maturity levels: Sandbox, Incubating, and

    Graduated

30. CNCF Security Projects and Tools Falco, Stackrox Runtime Threat Detection

    Notary and Sigstore Artifact Security/Signing SPIFFE/SPIRE and Keycloak Identity Management Open Policy Agent/Gatekeeper, StackRox Policy Enforcement

31. Actionable Recommendations Cultivate a proactive security-first culture and embrace collaboration

    and devSecOps, shift-left, secure-by-design approaches and methodologies Apply cloud-native security principles, controls, tooling, software and infrastructure delivery techniques, and automation based on your risk profile and tolerance Leverage cloud-specific compliance standards and frameworks to establish and/or increase security posture based on your risk profile and tolerance Continuous learning

32. “Security is a continuous process” of iterative improvement to ever

    changing requirements Importance of feedback loops, regular security reviews, and adapting to evolving threats Recommended next steps for organizations starting their cloud-native security journey begins with… Moving Forward & Continuous Improvement

33. Leverage CNCF security frameworks, communities, and resources - and contribute,

    too! CNCF Cloud Native Security Whitepaper

34. Questions?

35. Thank You!