If you've found this useful please consider supporting me!

These notes are intended for a cloud native friendly, enterprise company.

Work management

• Legal responsibilities?

  • CISO
  • ISO 27001

• Kanban style or FiFo (high risk new vulnerabilities going again on the top)?

Cloud Native Security Whitepaper | CNCF TAG Security

Dev Teams

• Repository Mandatory Pre commit hooks
  • Static code analysis
  • Security-linter
  • Signed commits
• Docker container scanning at build time (Grype/Trivy) and runtime (Anchore)
• Automated dependencies updates (Renovate)
• Automated leaking secret scanning (Gitleaks / Trufflehog)
• 🔏 Only private docker images in all services based on multi-stage images configured from scratch or Alpine
• OWASP API Security Top 10 Overview & Best Practices | F5

People

Devices: - Automatic updates - Certified in EU, - No apps from outside marketplace, - Enforce certificates with 2FA

Management & VP: - periodical smartphone and laptop reset - Management: physical access key to login to VPN - Social networks - No public profiles - No apps from non democratic countries

Processes

• Automated penetration test pipelines
• Weekly Cis Benchmark
• Quarterly Well architected Framework review
• Continuous Chaos engineering (Litmus)
• Zero trust architecture
  • Seven zero trust rules for Kubernetes | CNCF
  • Https everywhere
  • Spiffe / Spire

Ops

Dashboard:
- Grafana is an open-source analytics and monitoring platform. It integrates seamlessly with Prometheus to visualize metrics. You can create dashboards to monitor the health and performance of your AKS clusters.
- Kibana

Logs:
- OpenTelemetry: a unified approach to collecting metrics, logs, and traces. It’s an observability framework that supports multiple backends, including Prometheus and Jaeger (logz).
- Fluentd: For log aggregation, Fluentd can be used to collect and forward logs to various destinations, including Elasticsearch and Azure Monitor.

Metrics: - Prometheus is a powerful open-source monitoring and alerting toolkit. It can scrape metrics from your AKS clusters and store them in a time-series database. You can set up Prometheus to monitor various metrics from your Kubernetes environment.

Traces: - Jaeger is an open-source tool for tracing and monitoring microservices. It helps you understand the performance of your microservices by providing end-to-end distributed tracing. You can deploy Jaeger in your AKS cluster to collect and visualize traces.

Alerts: - Site 24x7 - Alertmanager works with Prometheus to handle alerts. It can route alerts to different receivers like email, Slack, MS Teams, or other notification systems. You can configure Alertmanager to manage and silence alerts based on your requirements. - prometheus-msteams/prometheus-msteams: Forward Prometheus Alert Manager notifications to Microsoft Teams. (github.com)

• Platform security standard enforcement (kyverno)
• Runtime dependencies + licenses scan (Dependency Track)

Kubernetes specific configurations:

• External Secrets Operator
  • Introduction - External Secrets Operator (external-secrets.io)
• K8S Network policies
• RBAC based service accounts bound to AD users

Advanced topics

• Honeypots
  • 2021 Honeypot Introduction (Cyber Security Series) (youtube.com)

IT

• VPN
• Firewalls
• VNet
• ...