ﬁnd me at @lancinimarco https://www.marcolancini.it ▪ Work Life ◦ Started as a pentester at CEFRIEL, MWR ◦ Built security functions at Mastercard, Thought Machine, GitLab ◦ Currently, I'm a Staff Cloud Security Engineer at GitLab ▪ Outside of Work ◦ Curator of CloudSecList and CloudSecDocs ◦ Member of CNCF Security Technical Advisory Group (STAG) ◦ Maintainer of Cartography ◦ AWS Community Builder
are the main entry points? ▪ What components are Internet-facing? ▪ How do customers get access? ▪ How do engineers get access? ▪ How are Accounts connected to each other? ▪ How is ﬁrewalling implemented? ▪ How is the edge protected? ▪ How is DNS managed? ▪ Any hybrid connectivity?
Where are identities deﬁned? ▪ Is an Identity Provider being used? ▪ Are identities federated? ▪ Is SSO being used? ▪ Are named users a common practice, or roles with short-lived tokens ▪ How is authorization enforced? Principle of least privilege? RBAC? ▪ Processes for access requests and deprovisioning?
Are security-related logs collected at all? ▪ What kind of logs are being ingested? ▪ How are logs collected? ▪ Where are the logs forwarded? Kubernetes ▪ Are audit logs collected? ▪ Are System Calls and Kubernetes Audit Events collected via Falco? ▪ Is a data collector like ﬂuentd used to collect logs? ▪ Is the data collector deployed as a Sidecar or Daemonset?
▪ Where are secrets fetched from? ▪ How are secrets made available? ▪ Is there a practice of hardcoding secrets? ▪ Secrets management solution? ▪ Are secrets bound to a speciﬁc workload? ▪ Processes around secret management deﬁned? Revocation of secrets?