Unlocking DevOps Secuirty :Vault & Keylock
HusseinMalikMammadli
180 views
38 slides
Mar 04, 2025
Slide 1 of 38
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
About This Presentation
DevOps iş təhlükəsizliyi sizi maraqlandırır? İstər developer, istər təhlükəsizlik mühəndisi, istərsə də DevOps həvəskarı olun, bu tədbir şəbəkələşmək, biliklərinizi bölüşmək və DevSecOps sahəsində ən son təcrübələri öyrənmək üçün mükəmməl fürsətdir...
Slide Content
Unlocking DevOps Security Here is where your presentation begins
01 02 03 04 Table of contents Kubernetes Security CI/CD Pipeline Security Infrastructure Security IAM in DevOps (Keycloak)
Infrastructure security involves protecting a company's physical and virtual resources (servers, network devices, cloud environments, etc.). Infrastructure Security
Infrastructure Security WAF - Web Application Firewall PAM - Privileged Access Management Infrastructure as Code (Terraform, Cloudformation, Terrascan) NSX Vmware - Network and Security Virtualization Configuration Management Tools (Ansible, Saltstack) CIS Benchmarks Logging of the system (filebeat, winlogbeat) Secret Management Tools - (Vault, AWS Secret management ) Least Privilege Access Implementation, MFA Backup and Recovery (Implement backuping system and disaster recovery plan)
Infrastructure Security WAF (Web Application Firewall) - Protects web applications from variety of application layer attacks, such as XSS(cross-site-scripting), SQL Injection.
Infrastructure Security PAM (Privileged Access Management) - Security tool for controlling and monitoring activity of privileged users. Example: Cyberark PAM, BeyondTrust
Infrastructure Security IaC (Infrastructure as Code)- the ability to provision and support your computing infrastructure using code instead of manual processes and settings Example: Terraform, Terrascan
VMware NSX | Networking and Security Virtualization Infrastructure Security
Infrastructure Security Configuration management tools - automate configurations (storage, networking etc) of servers Example: Ansible, Saltstack, Chef
Infrastructure Security CIS Benchmarks (Center for Internet Security) - Best practices to implement security. Link: https://www.cisecurity.org/cis-benchmarks
Infrastructure Security Logging of the system (Filebeat , Winlogbeat)
Infrastructure Security Secret Management Tools Example: Vault, AWS Secret Manager
Infrastructure Security Least Privilege Access Management, MFA
Infrastructure Security Backup and Disaster Recovery
Container Isolation: Namespace () & cgroups () Network Policies (Calico, Cilium, NSX-T) RBAC on Kubernetes Upgrade Kube cluster ETCD encrypted Container Sandboxing mTLS/ ServiceMeshes - traffic between pods should be encrypted OPA - Open Policy Agent Falco AppArmor, Seccomp Kubernetes Security
Container Isolation: Namespace & cgroups Namespaces -> Other processes, users, filesystems Cgroups > RAM, Disk, CPU Kubernetes Security
Network Policies Kubernetes Security
RBAC on Kubernetes Combinations: Role - Rolebinding → user has permissions in single namespace ClusterRole - ClusterRoleBinding → user has same permissions in all namespaces ClusterRole - RoleBinding → user has same permissions in multiple namespace Kubernetes Security
Upgrading Kubernetes Cluster Kubernetes Security
Encryption at rest - Encrypt ETCD Key-Value DB Kubernetes Security
Container Sandboxing - Kata Containers Kubernetes Security
gVisor gVisor is also one of the Sandbox Runtime. It is user-space kernel for containers Kubernetes Security
mTLS, Service Mesh mTLS - mutual TLS Mutual authentication Two-way (bilateral) authentication Two parties authenticating each-other at the same time By default in kubernetes every pod can communicate with each-other and this is done unecrypted Kubernetes Security
OPA - Open Policy Agent OPA is an open-source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack. OPA Gatekeeper Kubernetes Security
Falco Falco is a cloud native runtime security, it provides deep kernel tracing built on the Linux kernel, it describe security rules against a system and detect unwanted behavior. Automated respond to a security violations Kubernetes Security
Apparmor Kubernetes Security Profile Modes: Unconfined → Process can escape Complain → Process can complain but it will be logged Enforce → Processes cannot escape
seccomp: Seccomp (Secure Computing Mode) is a Linux kernel security feature that restricts the system calls a process can make, significantly reducing the potential attack surface for a process Kubernetes Security
CI/CD Pipeline Gitlab Configuration, Access Management for Users, Ldap Authentication, Branch Protection Gitlab SAST, SCA, Defectojot, Sonarqube, Fortify Dependency checks Docker Images and Image Vulnerability Scanning (Trivy, Clair)
CI/CD Pipeline Gitlab Configuration Access Management for Users Ldap Authentication Branch Protection Do not use Hard Coded Values
CI/CD Pipeline Gitlab SAST, SCA, Fortify SAST/DAST Tool, Defectojo, Vulnerability Report, Sonarqube.
CI/CD Pipeline Dependency management Prevent Supply Chain Attacks Use trusted, verified sources for your dependencies Dependencies organize in a file, use dependency management tools maven, npm or gradle Use centralized artifact repo
CI/CD Pipeline Dockerfile Images: Reduce image size via applying multi-stage images Always mention proper version tag for image, do not use latest. Use specific package version Do not run as root Make filesystem read only → RUN chmod a-w /etc Remove shell access → RUN rm -rf /bin/* Store image in your own private registry
CI/CD Pipeline Image Vulnerability Scanning (Trivy, Clair) Dive Tool for Image Analysing
Keycloak (IAM) Authentication & Authorization (OpenID Connect & OAuth2) Single Sign-On (SSO) User federation (LDAP, AD. DB) Social Login (Google, Facebook) RBAC
Keycloak (IAM) As an Identity Provider in microservices
Keycloak (IAM) Keycloak + Gateway + APP
Keycloak Deployment on Kubernetes and Integration APP
Thanks!
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 180
- Slides 38
- Age 272 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views