2. Cloud Security Overview
Secure
- app
- K8s platform
During
- build
- deployment
- runtime
Learning Objectives
security @ cloud production env
system and cluster hardening
security @ container supply chain
Monitor and Log security events
Skills
- package manager
- Git and Github
SIG
K8s has 118 SIG
- Kubernetes Security Profiles Operator SIG : https://github.com/kubernetes-sigs/security-profiles-operator to make managing and applying seccomp and AppArmor profiles more easy and straight forward in Kubernetes
- CNCF Special Interest Group for Security: https://github.com/cncf/sig-security enable secure access, policy control, and safety for operators, administrators, developers, and end-users across the cloud native ecosystem
Security Process:
-- Asset Life Cycle
-- SDLC
-- procedure and policy
-- Roles and Responsibilities
Security Principles
- Assessment: More risk with (1) SSO, (2) additional staff, (3) centralized service
- Prevention:
1. technical control: HW and SW
2. procedural control: processes and policies
3. physical control: key card, locks
Asset wise protection
* Service : Available
* Data : Confidential
* Software: Integrity of executable
- Detection:
Easiest and most cost effective
Most expensive and difficult to execute
--- Monitoring: remote logging, system statistics, and performance metrics
--- Intrusion Detection and Prevention Systems (IDPS)
--- Incident detection methods
1. signature-based,
2. statistical anomaly-based,
3. stateful protocol analysis (monitoring)
- Reaction
-- Adding firewall rules,
-- Adding scanners,
-- Re-implementing the systems, or
-- Shutting down certain components
RCA
Attack Types
White Hat: ethical hacker, non-malicious reason
Black Hat
Script Kiddie: non-expert
Hacktivist: DoS. To announce message
Nation State: intelligence agencies and cyber warfare operatives
Organized Crime
Bots: Automated Software Tools
1. Active Attack
* DoS
* Spoofing Attack : ARP, IP, MAC, DNS are susceptible for spoofing
* ARP storms
* session hijacking
* packet injection
1.1 alter system resources to compromise integrity.
1.2 affect system operation to compromise availability.
2. Passive Attack: Learn system to compromise confidentiality
The 4 Cs of Security
- code, container, cluster, cloud
1. Code: Trusted code
2. Container:
* container vulnerability scanning,
* image signing to ensure nothing has been modified,
* preventing the leveraging of elevated privileges past the least privileges required.
3. Cluster:
* etcd database
* networks: API end points, ports
* worker node: kubelet and kubeproxy
Security Agency and Security Resource
NIST Cyber Security Framework.
- 5 Security activities: Identify, Protect, Detect, Respond, and Recovery
- 6 categories of each activities
1. Asset Mgmt
2. Business Env
3. Governance
4. Risk Assessment
5. Risk Mgmt Strategy
6. Supply Chain Risk Mgmt
CNCF Project Categories
1. Graduated: Kubernetes, Prometheus, Envoy, Helm, Fluentd, Jaeger, etc.
2. Incubating: CNI, CRI-O, Linkerd, OpenTracing, Thanos, etc.
3. Sandbox: Artifact Hub, k3s, in-toto, Keylime, Parsec, etc.
4. Archived: rkt
* Artifact Hub: Package management directory
* in-toto: A framework to secure the integrity of software supply chains
* Keylime: scalable trust system harnessing TPM Technology
* Parsec: Platform AbstRaction for SECurity: common API to hardware security and cryptographic services in a platform-agnostic way.
Parsec aims to define a universal software standard for interacting with secure object storage and cryptography services, creating a common way to interface with functions that would traditionally have been accessed by more specialized APIs.
Acronyms
BOD: Binding Operational Directives
CIS: Center for Internet Security
CISA: Cybersecurity and Infrastructure Security Agency
CSF: Cybersecurity Framework
CSRC: Computer Security Resource Center
FIPS: Federal Information Processing Standard
HVA: High Value Asset
NIST: National Institute of Standards and Technology
NVD: National Vulnerability Database
PARSEC: Platform AbstRaction for SECurity
SAML: Security Assertion Markup Language
SELinux: Security-Enhanced Linux
------------------------
SELinux: a security architecture for Linux systems that allows administrators to have more control over who can access the system
Kerberos : Network authentication protocol
SAML: an open standard for exchanging authentication and authorization data between parties (identity provider and a service provider.)