CNCF Cloud Native Security Whitepaper
The Cloud Native Security Whitepaper has been released as part of the #kubecon2020.
The entire Cloud Native Landscape is also published here.
A high level screengrab from the landscape is as below :
Key Takeaways are :
- Cloud Native Goals which should be Top Priority for Digital Transformation.
- Vulnerability Management
- Zero Trust
- Cloud Security
2. Security Benchmarks
- NIST Application Security Container Guide
- Center for Internet Security (CIS)
- NIST Security Strategies for Microservices
3. Integrated Developer Experience with Security as a First Class Citizen
4. Protection from unauthorized access (person and non-person entities) — Ephemerality reduces the asset exposure to unauthorized entities by constantly rebasing from a last known working configuration.
5. Immutability to preserve the integrity of content and code.
6. Distributed availability of services and tooling to avoid single point of failure (SPF).
7. Auditing and Accountability — Cover for governance and keep track of unauthorised changes and thereby prevent irregularities.
8. SIG Use Cases : https://github.com/cncf/sig-security/blob/master/usecases.md
9. Threat Intelligence using the MITRE ATT&CK framework for Cloud.
10. Leverage mutual / two-way transport (bi-directional) authN between Client to Server for all workloads and use both Attribute-Based Access Control (ABAC) and Role-Based Access Control(RBAC) to provide granular authorization.
11. Eliminate Implicit Trust — Leverage Service Mesh(SM) to help with implicit trust and data in motion encryption. SM also helps with dealing with identity issues where traditional Layer and 4 Ip addresses cannot map to workloads cleanly. Resiliency patterns are baked right into the SM for example Exponential Backoff and Retries, Timeouts and Circuit Breaker etc. Streaming platforms can also leverage SM to use workload level AuthZ to set access ruled for topics and brokers.
Runtime Environment (logical view)
If you are interested to follow the Security Special Interest Group the links are as below :
Github : https://github.com/cncf/sig-security