Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Compliance in Cloud Native

Carol
November 24, 2020
Technology
2
160

Compliance in Cloud Native

Let's talk about security controls in Cloud Native environments, a checklist to comply with compliance such as ISO 27001, show tools that will help us in the security journey in the Kubernetes cluster.

Carol

November 24, 2020
Tweet

More Decks by Carol

See All by Carol
Contribute to translate K8s Docs, Glossary and CNCF-whitepaper
krol3
1
88
Vulnerabilities in Golang
krol3
0
14
DevSecOps em Aplicações, Cloud, Artefatos
krol3
2
130
Security in Cloud using Infrastructure as a Code (IaaS)
krol3
0
140
Security Opensource Tools in Cloud Native
krol3
1
180
Intro to Operators in Kubernetes
krol3
0
61
Container Security
krol3
4
260
Segurança em Kubernetes
krol3
1
190
Vault em Kubernetes
krol3
3
180

Other Decks in Technology

See All in Technology
Google Cloud Next '24でブログを10本書いた方法と勉強会を沸かせた方法
yasumuusan
0
310
Building Dashboards as a Hobby
egmc
0
240
プロンプトエンジニアリングでがんばらない-Agentic Workflow へ-近藤憲児
kenjikondobai
3
930
20分で完全に理解するGrafanaダッシュボード
hamadakoji
3
680
推しは推せるときに推せ! プロダクトにフィードバックしていこう
nakasho
0
320
Gitlab本から学んだこと - そーだいなるプレイバック / gitlab-book
soudai
4
440
VS CodeでAWSを操作しよう
smt7174
8
1.7k
JAWS-UG Bedrock Claude Night
yamahiro
3
610
生産性向上チームの紹介
cybozuinsideout
PRO
1
870
長期間TiDBを使ってきた話 @ 私たちはなぜNewSQLを使うのかTiDB選定5社が語る選定理由と活用LT / Experiences with TiDB Over Time
chibiegg
2
910
APIファーストなプロダクトマネジメントの実践 〜SaaSus Platformでの例〜 / "Practicing API-First Product Management - An Example with SaaSus Platform
oztick139
0
110
Terraformあれやこれ/terraform-this-and-that
emiki
8
1.4k

Featured

See All Featured
Thoughts on Productivity
jonyablonski
58
3.8k
Art, The Web, and Tiny UX
lynnandtonic
289
19k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
104
6.6k
The Illustrated Children's Guide to Kubernetes
chrisshort
31
46k
Fantastic passwords and where to find them - at NoRuKo
philnash
37
2.5k
Pencils Down: Stop Designing & Start Developing
hursman
117
11k
The Cult of Friendly URLs
andyhume
74
5.7k
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.1k
How GitHub (no longer) Works
holman
304
140k
Typedesign – Prime Four
hannesfritz
36
2.1k
In The Pink: A Labor of Love
frogandcode
138
21k
How to Ace a Technical Interview
jacobian
272
22k

Transcript

  1. Compliance em Cloud Native Carol Valencia @krol_valencia

  2. Carol Valencia Solution Architect in in/carolgv krol3 @krol_valencia @krol_valencia

  3. Iso/iec 27001 Information technology - Security techniques - Information security

    management systems - Requirements @krol_valencia

  4. https://www.caveonix.com/solutions/iso/ @krol_valencia

  5. https://www.caveonix.com/solutions/iso/ @krol_valencia

  6. https://blog.ine.com/13-effective-security-controls-in-microsoft-azure-for-iso-27001-compliance @krol_valencia

  7. 7 https://blog.ine.com/what-is-the-goal-of-azure-security Confidentiality - CIA

  8. https://blog.ine.com/what-is-the-goal-of-azure-security 8 Integrity - CIA

  9. https://blog.ine.com/what-is-the-goal-of-azure-security 9 Availability - CIA

  10. A.8 Asset Management @krol_valencia

  11. @krol_valencia

  12. @krol_valencia

  13. A.9 Access Control https://isoconsultantkuwait.com/2019/12/08/iso-270012013-a-9-access-control/ @krol_valencia

  14. RBAC https://www.cncf.io/blog/2018/08/01/demystifying-rbac-in-kubernetes/ @krol_valencia

  15. Autenticação e Autorização https://theithollow.com/2020/01/21/active-directory-authentication-for-kubernetes-clusters/ @krol_valencia

  16. Acesso ao Cluster Kubernetes https://kubernetes.io/docs/reference/access-authn-authz/controlling-access/ @krol_valencia

  17. A.10 Criptografia § Use of encryption (only TLS for public

    communication) § Key Management § Certs in Vault @krol_valencia

  18. A.12 Operations Security • Documented Operating Procedures • Event Logging

    • Management of Technical Vulnerabilities @krol_valencia

  19. A.12.1: Operational procedures and responsibilities https://itnext.io/platform-as-code-how-it-compares-with-infrastructure-as-code-and-what-it-enables-2684b348be2e @krol_valencia

  20. A.12.4: Logging and Monitoring

  21. A.12.5: Integrity of operational systems - Immutable Infrastructure • No

    SSH on workers • Build from scratch on every update - Rolling redeploy every week with newest K8s

  22. A.12.6: Technical Vulnerability Management - Explicit configured sync from selected

    public docker images only - Update Checker for system components - Planned: Container Image Scanning https://github.com/aquasecurity/trivy/ @krol_valencia

  23. A.13 Communications Security https://itnext.io/how-to-kubernetes-cluster-network-security-f19bc99161f5 @krol_valencia

  24. NETWORK POLICY USANDO OPA https://www.magalix.com/blog/how-to-enforce-kubernetes-network-security-policies-using-opa @krol_valencia

  25. https://blog.aquasec.com/istio-kubernetes-security-zero-trust-networking @krol_valencia

  26. A.14 System Acquisition, Development & Maintenance https://holisticsecurity.io/2020/02/10/security-along-the-container-based-sdlc @krol_valencia

  27. A.17 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT https://www.rancher.co.jp/docs/rke/latest/en/etcd-snapshots/example-scenarios/ -

    High availability - Backup & Recovery @krol_valencia

  28. A.17 Information Security Aspects of Business Continuity Management https://velero.io/ @krol_valencia

  29. A.17 Information Security Aspects of Business Continuity Management - High

    availability - Backup & Recovery https://banzaicloud.com/blog/etcd-multi/ @krol_valencia

  30. A.17 Information Security Aspects of Business Continuity Management - High

    availability - Backup & Recovery https://banzaicloud.com/blog/etcd-multi/ @krol_valencia

  31. CIS Benchmark - CIS Benchmark Linux - CIS Benchmark Docker

    - CIS Benchmark Kubernetes https://github.com/aquasecurity/kube-bench @krol_valencia

  32. Pentesting em Kubernetes https://github.com/aquasecurity/kube-hunter @krol_valencia

  33. CSPM - Cloud Secure Posture Management https://github.com/aquasecurity/cloudsploit @krol_valencia

  34. References - KubeSec: https://kubesec.aquasec.com/enterprise_online_series - Iso 27001: https://www.isms.online/iso-27001 - Disaster

    Recovery: https://www.altoros.com/blog/enabling-high-availability-and-disaster- recovery-in-kubernetes - https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/get-started - Cryptografia - Casa Hacker: https://www.youtube.com/watch?v=9CoQpGt6aAg&feature=em-lbrm @krol_valencia