Compliance em Cloud Native Carol Valencia @krol_valencia

Carol Valencia Solution Architect in in/carolgv krol3 @krol_valencia @krol_valencia

Iso/iec 27001 Information technology - Security techniques - Information security management systems - Requirements @krol_valencia

https://www.caveonix.com/solutions/iso/ @krol_valencia

https://www.caveonix.com/solutions/iso/ @krol_valencia

https://blog.ine.com/13-effective-security-controls-in-microsoft-azure-for-iso-27001-compliance @krol_valencia

7 https://blog.ine.com/what-is-the-goal-of-azure-security Confidentiality - CIA

https://blog.ine.com/what-is-the-goal-of-azure-security 8 Integrity - CIA

https://blog.ine.com/what-is-the-goal-of-azure-security 9 Availability - CIA

A.8 Asset Management @krol_valencia

@krol_valencia

@krol_valencia

A.9 Access Control https://isoconsultantkuwait.com/2019/12/08/iso-270012013-a-9-access-control/ @krol_valencia

RBAC https://www.cncf.io/blog/2018/08/01/demystifying-rbac-in-kubernetes/ @krol_valencia

Autenticação e Autorização https://theithollow.com/2020/01/21/active-directory-authentication-for-kubernetes-clusters/ @krol_valencia

Acesso ao Cluster Kubernetes https://kubernetes.io/docs/reference/access-authn-authz/controlling-access/ @krol_valencia

A.10 Criptografia § Use of encryption (only TLS for public communication) § Key Management § Certs in Vault @krol_valencia

A.12 Operations Security • Documented Operating Procedures • Event Logging • Management of Technical Vulnerabilities @krol_valencia

A.12.1: Operational procedures and responsibilities https://itnext.io/platform-as-code-how-it-compares-with-infrastructure-as-code-and-what-it-enables-2684b348be2e @krol_valencia

A.12.4: Logging and Monitoring

A.12.5: Integrity of operational systems - Immutable Infrastructure • No SSH on workers • Build from scratch on every update - Rolling redeploy every week with newest K8s

A.12.6: Technical Vulnerability Management - Explicit configured sync from selected public docker images only - Update Checker for system components - Planned: Container Image Scanning https://github.com/aquasecurity/trivy/ @krol_valencia

A.13 Communications Security https://itnext.io/how-to-kubernetes-cluster-network-security-f19bc99161f5 @krol_valencia

NETWORK POLICY USANDO OPA https://www.magalix.com/blog/how-to-enforce-kubernetes-network-security-policies-using-opa @krol_valencia

https://blog.aquasec.com/istio-kubernetes-security-zero-trust-networking @krol_valencia

A.14 System Acquisition, Development & Maintenance https://holisticsecurity.io/2020/02/10/security-along-the-container-based-sdlc @krol_valencia

A.17 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT https://www.rancher.co.jp/docs/rke/latest/en/etcd-snapshots/example-scenarios/ - High availability - Backup & Recovery @krol_valencia

A.17 Information Security Aspects of Business Continuity Management https://velero.io/ @krol_valencia

A.17 Information Security Aspects of Business Continuity Management - High availability - Backup & Recovery https://banzaicloud.com/blog/etcd-multi/ @krol_valencia

A.17 Information Security Aspects of Business Continuity Management - High availability - Backup & Recovery https://banzaicloud.com/blog/etcd-multi/ @krol_valencia

CIS Benchmark - CIS Benchmark Linux - CIS Benchmark Docker - CIS Benchmark Kubernetes https://github.com/aquasecurity/kube-bench @krol_valencia

Pentesting em Kubernetes https://github.com/aquasecurity/kube-hunter @krol_valencia

CSPM - Cloud Secure Posture Management https://github.com/aquasecurity/cloudsploit @krol_valencia

References - KubeSec: https://kubesec.aquasec.com/enterprise_online_series - Iso 27001: https://www.isms.online/iso-27001 - Disaster Recovery: https://www.altoros.com/blog/enabling-high-availability-and-disaster- recovery-in-kubernetes - https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/get-started - Cryptografia - Casa Hacker: https://www.youtube.com/watch?v=9CoQpGt6aAg&feature=em-lbrm @krol_valencia