2. Cloud Security Overview


Secure

- app

- K8s platform

During

- build

- deployment

- runtime

Learning Objectives

security @ cloud production env

system and cluster hardening

security @ container supply chain

Monitor and Log security events

Skills

- package manager

- Git and Github

SIG

K8s has 118 SIG

- Kubernetes Security Profiles Operator SIG : https://github.com/kubernetes-sigs/security-profiles-operator to make managing and applying seccomp and AppArmor profiles more easy and straight forward in Kubernetes

- CNCF Special Interest Group for Security: https://github.com/cncf/sig-security enable secure access, policy control, and safety for operators, administrators, developers, and end-users across the cloud native ecosystem

Security Process:

-- Asset Life Cycle

-- SDLC

-- procedure and policy

-- Roles and Responsibilities 

Security Principles

- Assessment: More risk with (1) SSO, (2) additional staff, (3) centralized service

- Prevention:

1. technical control: HW and SW

2. procedural control: processes and policies

3. physical control: key card, locks

Asset wise protection

* Service : Available

* Data : Confidential

* Software: Integrity of executable 

- Detection:

Easiest and most cost effective

Most expensive and difficult to execute

--- Monitoring: remote logging, system statistics, and performance metrics

--- Intrusion Detection and Prevention Systems (IDPS)

--- Incident detection methods 

1. signature-based, 

2. statistical anomaly-based, 

3. stateful protocol analysis (monitoring) 

- Reaction 

-- Adding firewall rules, 

-- Adding scanners, 

-- Re-implementing the systems, or 

-- Shutting down certain components

RCA

Attack Types

White Hat: ethical hacker, non-malicious reason

Black Hat

Script Kiddie: non-expert

Hacktivist: DoS. To announce message

Nation State:  intelligence agencies and cyber warfare operatives 

Organized Crime

Bots: Automated Software Tools

1. Active Attack

* DoS

* Spoofing Attack : ARP, IP, MAC, DNS are susceptible for spoofing

ARP storms

* session hijacking

* packet injection

1.1 alter system resources to compromise integrity.

1.2 affect system operation to compromise availability.

2. Passive Attack: Learn system to compromise confidentiality 

The 4 Cs of Security

code, container, cluster, cloud

1. Code: Trusted code

2. Container: 

* container vulnerability scanning, 

* image signing to ensure nothing has been modified, 

* preventing the leveraging of elevated privileges past the least privileges required.

3. Cluster: 

* etcd database

* networks: API end points, ports

* worker node: kubelet and kubeproxy

Security Agency and Security Resource

NIST Cyber Security Framework. 

5 Security activities: Identify, Protect, Detect, Respond, and Recovery

- 6 categories of each activities

1. Asset Mgmt

2. Business Env

3. Governance

4. Risk Assessment 

5. Risk Mgmt Strategy

6. Supply Chain Risk Mgmt

CNCF Project Categories

1. Graduated: Kubernetes, Prometheus, Envoy, Helm, Fluentd, Jaeger, etc.

2. Incubating: CNI, CRI-O, Linkerd, OpenTracing, Thanos, etc.

3. Sandbox: Artifact Hub, k3s, in-toto, Keylime, Parsec, etc.

4. Archived: rkt

Artifact Hub: Package management directory 

* in-toto: A framework to secure the integrity of software supply chains

* Keylime: scalable trust system harnessing TPM Technology

* Parsec: Platform AbstRaction for SECurity: common API to hardware security and cryptographic services in a platform-agnostic way.

Parsec aims to define a universal software standard for interacting with secure object storage and cryptography services, creating a common way to interface with functions that would traditionally have been accessed by more specialized APIs.

Acronyms 

BOD: Binding Operational Directives

CIS: Center for Internet Security

CISA: Cybersecurity and Infrastructure Security Agency

CSF: Cybersecurity Framework

CSRC: Computer Security Resource Center

FIPS: Federal Information Processing Standard

HVA: High Value Asset 

NIST: National Institute of Standards and Technology

NVD: National Vulnerability Database

PARSEC: Platform AbstRaction for SECurity

SAML: Security Assertion Markup Language 

SELinux: Security-Enhanced Linux

------------------------

SELinux:  a security architecture for Linux systems that allows administrators to have more control over who can access the system

Kerberos : Network authentication protocol

SAML: an open standard for exchanging authentication and authorization data between parties (identity provider and a service provider.)