Slide 1

Slide 1 text

Compliance em Cloud Native Carol Valencia @krol_valencia

Slide 2

Slide 2 text

Carol Valencia Solution Architect in in/carolgv krol3 @krol_valencia @krol_valencia

Slide 3

Slide 3 text

Iso/iec 27001 Information technology - Security techniques - Information security management systems - Requirements @krol_valencia

Slide 4

Slide 4 text

https://www.caveonix.com/solutions/iso/ @krol_valencia

Slide 5

Slide 5 text

https://www.caveonix.com/solutions/iso/ @krol_valencia

Slide 6

Slide 6 text

https://blog.ine.com/13-effective-security-controls-in-microsoft-azure-for-iso-27001-compliance @krol_valencia

Slide 7

Slide 7 text

7 https://blog.ine.com/what-is-the-goal-of-azure-security Confidentiality - CIA

Slide 8

Slide 8 text

https://blog.ine.com/what-is-the-goal-of-azure-security 8 Integrity - CIA

Slide 9

Slide 9 text

https://blog.ine.com/what-is-the-goal-of-azure-security 9 Availability - CIA

Slide 10

Slide 10 text

A.8 Asset Management @krol_valencia

Slide 11

Slide 11 text

@krol_valencia

Slide 12

Slide 12 text

@krol_valencia

Slide 13

Slide 13 text

A.9 Access Control https://isoconsultantkuwait.com/2019/12/08/iso-270012013-a-9-access-control/ @krol_valencia

Slide 14

Slide 14 text

RBAC https://www.cncf.io/blog/2018/08/01/demystifying-rbac-in-kubernetes/ @krol_valencia

Slide 15

Slide 15 text

Autenticação e Autorização https://theithollow.com/2020/01/21/active-directory-authentication-for-kubernetes-clusters/ @krol_valencia

Slide 16

Slide 16 text

Acesso ao Cluster Kubernetes https://kubernetes.io/docs/reference/access-authn-authz/controlling-access/ @krol_valencia

Slide 17

Slide 17 text

A.10 Criptografia § Use of encryption (only TLS for public communication) § Key Management § Certs in Vault @krol_valencia

Slide 18

Slide 18 text

A.12 Operations Security • Documented Operating Procedures • Event Logging • Management of Technical Vulnerabilities @krol_valencia

Slide 19

Slide 19 text

A.12.1: Operational procedures and responsibilities https://itnext.io/platform-as-code-how-it-compares-with-infrastructure-as-code-and-what-it-enables-2684b348be2e @krol_valencia

Slide 20

Slide 20 text

A.12.4: Logging and Monitoring

Slide 21

Slide 21 text

A.12.5: Integrity of operational systems - Immutable Infrastructure • No SSH on workers • Build from scratch on every update - Rolling redeploy every week with newest K8s

Slide 22

Slide 22 text

A.12.6: Technical Vulnerability Management - Explicit configured sync from selected public docker images only - Update Checker for system components - Planned: Container Image Scanning https://github.com/aquasecurity/trivy/ @krol_valencia

Slide 23

Slide 23 text

A.13 Communications Security https://itnext.io/how-to-kubernetes-cluster-network-security-f19bc99161f5 @krol_valencia

Slide 24

Slide 24 text

NETWORK POLICY USANDO OPA https://www.magalix.com/blog/how-to-enforce-kubernetes-network-security-policies-using-opa @krol_valencia

Slide 25

Slide 25 text

https://blog.aquasec.com/istio-kubernetes-security-zero-trust-networking @krol_valencia

Slide 26

Slide 26 text

A.14 System Acquisition, Development & Maintenance https://holisticsecurity.io/2020/02/10/security-along-the-container-based-sdlc @krol_valencia

Slide 27

Slide 27 text

A.17 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT https://www.rancher.co.jp/docs/rke/latest/en/etcd-snapshots/example-scenarios/ - High availability - Backup & Recovery @krol_valencia

Slide 28

Slide 28 text

A.17 Information Security Aspects of Business Continuity Management https://velero.io/ @krol_valencia

Slide 29

Slide 29 text

A.17 Information Security Aspects of Business Continuity Management - High availability - Backup & Recovery https://banzaicloud.com/blog/etcd-multi/ @krol_valencia

Slide 30

Slide 30 text

A.17 Information Security Aspects of Business Continuity Management - High availability - Backup & Recovery https://banzaicloud.com/blog/etcd-multi/ @krol_valencia

Slide 31

Slide 31 text

CIS Benchmark - CIS Benchmark Linux - CIS Benchmark Docker - CIS Benchmark Kubernetes https://github.com/aquasecurity/kube-bench @krol_valencia

Slide 32

Slide 32 text

Pentesting em Kubernetes https://github.com/aquasecurity/kube-hunter @krol_valencia

Slide 33

Slide 33 text

CSPM - Cloud Secure Posture Management https://github.com/aquasecurity/cloudsploit @krol_valencia

Slide 34

Slide 34 text

References - KubeSec: https://kubesec.aquasec.com/enterprise_online_series - Iso 27001: https://www.isms.online/iso-27001 - Disaster Recovery: https://www.altoros.com/blog/enabling-high-availability-and-disaster- recovery-in-kubernetes - https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/get-started - Cryptografia - Casa Hacker: https://www.youtube.com/watch?v=9CoQpGt6aAg&feature=em-lbrm @krol_valencia