A Cloud Security Roadmap Template

Version 1.2

This micro-website contains the full list of controls (94 as of today) that can be rolled out to establish a cloud security program aimed at protecting a cloud native, service provider agnostic, container-based, offering.

For an explanation of the content of the table below, please refer to the companion blog post:
"On Establishing a Cloud Security Program".

# Domain Control Task Description Status Priority Maturity Layer Epic Deliverable Artifact Useful Resources Metric CSA CCM
0 [1] Policies and Standards Definition of Security Policies Definition of Cloud Security Policy Policies shall be established, to provide reference documentation on best practices for cloud security. NOT STARTED 1 0 CSP+K8S
1 [1] Policies and Standards Definition of Security Policies Definition of Identity and Access Management Policy Policies shall be established, to provide reference documentation around Identity and Access Management. NOT STARTED 2 0 CSP+K8S
2 [1] Policies and Standards Definition of Security Policies Definition of Encryption and Key Management Policy Policies shall be established, to provide reference documentation around encryption and key management. NOT STARTED 2 0 CSP+K8S EKM-01 EKM-02 EKM-03 EKM-04
3 [1] Policies and Standards Definition of Security Policies Definition of Data Handling/Labeling Security Policy Policies shall be established, to help ensure that data is appropriately collected, processed, stored and protected to ensure its confidentiality, integrity and availability. NOT STARTED 2 0 CSP+K8S DSI-04
4 [1] Policies and Standards Definition of Security Standards Definition of Cloud Security Standard Standards shall be established, to provide reference documentation on best practices for Cloud security, with a particular focus on CSPs, Kubernetes, and Docker. NOT STARTED 3 0 CSP+K8S
5 [1] Policies and Standards Definition of Security Standards Definition of Identity and Access Management Standard User access policies and procedures shall be established, and supporting business processes and technical measures implemented, for ensuring appropriate identity, entitlement, and access management for all cloud infrastructure. These policies, procedures, processes, and measures must incorporate the following: • Procedures and supporting roles and responsibilities for provisioning and de-provisioning user account entitlements following the rule of least privilege based on job function • Business case considerations for higher levels of assurance and multi-factor authentication secrets (e.g., management interfaces, key generation, remote access, segregation of duties, emergency access, and personnel redundancy for critical systems) • Access segmentation to sessions and data in multi-tenant architectures by any third party (e.g., provider and/or other tenant) • Identity trust verification and service-to-service application (API) and information processing interoperability (e.g., SSO and federation) • Account credential lifecycle management from instantiation through revocation • Account credential and/or identity store minimization or re-use when feasible • Authentication, authorization, and accounting (AAA) rules for access to data and sessions (e.g., encryption and strong/multi-factor, expireable, non-shared authentication secrets) • Permissions and supporting capabilities for customer (tenant) controls over authentication, authorization, and accounting (AAA) rules for access to data and sessions • Adherence to applicable legal, statutory, or regulatory compliance requirements NOT STARTED 3 0 CSP+K8S IAM-01 IAM-02 IAM-04 IAM-05 IAM-08 IAM-13
6 [1] Policies and Standards Definition of Security Standards Definition of Encryption Standard Policies and procedures shall be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations) and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations. NOT STARTED 3 0 CSP+K8S EKM-03 EKM-04
7 [1] Policies and Standards Definition of Security Standards Definition of Key Management/Generation Standard Policies and procedures shall be established for the management of cryptographic keys in the service's cryptosystem (e.g., lifecycle management from key generation to revocation and replacement, public key infrastructure, cryptographic protocol design and algorithms used, access controls in place for secure key generation, and exchange and storage including segregation of keys used for encrypted data or sessions). NOT STARTED 3 0 CSP+K8S EKM-01 EKM-02 EKM-03 EKM-04
8 [1] Policies and Standards Definition of Security Standards Definition of Data Handling/Labeling Security Standard Policies and procedures shall be established for the labeling, handling, and security of data and objects which contain data. Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data. NOT STARTED 3 0 CSP+K8S DSI-04
9 [1] Policies and Standards Definition of Security Standards Definition of Production Changes Standard Policies and procedures shall be established for managing the risks associated with applying changes to: • Business-critical or customer (tenant)-impacting (physical and virtual) applications and system-system interface (API) designs and configurations. • Infrastructure network and systems components. Technical measures shall be implemented to provide assurance that all changes directly correspond to a registered change request, business-critical or customer (tenant), and/or authorization by, the customer (tenant) as per agreement (SLA) prior to deployment. NOT STARTED 3 0 CSP+K8S CCC-05
10 [1] Policies and Standards Definition of Security Standards Definition of Vulnerability / Patch Management Standard • Policies and procedures shall be established, and supporting processes and technical measures implemented, for timely detection of vulnerabilities within organizationally-owned or managed applications, infrastructure network and system components (e.g., network vulnerability assessment, penetration testing) to ensure the efficiency of implemented security controls. • A risk-based model for prioritizing remediation of identified vulnerabilities shall be used. • Changes shall be managed through a change management process for all vendor-supplied patches, configuration changes, or changes to the organization's internally developed software. • Upon request, the provider informs customer (tenant) of policies and procedures and identified weaknesses especially if customer (tenant) data is used as part the service and/or customer (tenant) has some shared responsibility over implementation of control. NOT STARTED 1 0 CSP+K8S TVM-02 IVS-05
11 [1] Policies and Standards Definition of Business Continuity Plans Audit Planning Audit plans shall be developed and maintained to address business process disruptions. Auditing plans shall focus on reviewing the effectiveness of the implementation of security operations. Particular emphasis should be put on processes defining how to control access to the audit logs. NOT STARTED 4 0 CSP+K8S AAC-01
12 [1] Policies and Standards Definition of Business Continuity Plans Business Continuity Planning A consistent unified framework for business continuity planning and plan development shall be established, documented, and adopted to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security requirements. Requirements for business continuity plans include the following: • Defined purpose and scope, aligned with relevant dependencies • Accessible to and understood by those who will use them • Owned by a named person(s) who is responsible for their review, update, and approval • Defined lines of communication, roles, and responsibilities • Detailed recovery procedures, manual work-around, and reference information • Method for plan invocation NOT STARTED 4 0 CSP+K8S BCR-01
13 [1] Policies and Standards Definition of Business Continuity Plans Retention Policy Policies and procedures shall be established, and supporting business processes and technical measures implemented, for defining and adhering to the retention period of any critical asset as per established policies and procedures, as well as applicable legal, statutory, or regulatory compliance obligations. Backup and recovery measures shall be incorporated as part of business continuity planning and tested accordingly for effectiveness. NOT STARTED 4 0 CSP+K8S BCR-11
14 [1] Policies and Standards Definition of Business Continuity Plans Impact Analysis There shall be a defined and documented method for determining the impact of any disruption to the organization (cloud provider, cloud consumer) that must incorporate the following: • Identify critical products and services • Identify all dependencies, including processes, applications, business partners, and third party service providers • Understand threats to critical products and services • Determine impacts resulting from planned or unplanned disruptions and how these vary over time • Establish the maximum tolerable period for disruption • Establish priorities for recovery • Establish recovery time objectives for resumption of critical products and services within their maximum tolerable period of disruption • Estimate the resources required for resumption NOT STARTED 5 0 CSP+K8S BCR-09
15 [1] Policies and Standards Definition of Business Continuity Plans Incident Management Policies and procedures shall be established, and supporting business processes and technical measures implemented, to triage security-related events and ensure timely and thorough incident management, as per established IT service management policies and procedures. NOT STARTED 3 0 CSP+K8S SEF-02
16 [2] Architecture Network Network Architecture Review Network architecture diagrams shall clearly identify high-risk environments and data flows that may have legal compliance impacts. Technical measures shall be implemented and shall apply defense-in-depth techniques (e.g., deep packet analysis, traffic throttling, and black-holing) for detection and timely response to network-based attacks associated with anomalous ingress or egress traffic patterns (e.g., MAC spoofing and ARP poisoning attacks) and/or distributed denial-of-service (DDoS) attacks. NOT STARTED 1 0 CSP IAM-03 IVS-13
17 [2] Architecture Network Network Security Design Network environments and virtual instances shall be designed and configured to restrict and monitor traffic between trusted and untrusted connections. These configurations shall be reviewed at least annually, and supported by a documented justification for use for all allowed services, protocols, ports, and by compensating controls. In addition, data that traverses public networks shall be appropriately classified and protected from fraudulent activity, unauthorized disclosure, or modification in such a manner to prevent contract dispute and compromise of data. NOT STARTED 1 0 CSP+K8S IAM-03 IVS-06
18 [2] Architecture Network Segregation of Production / Non-Production Environments Production and non-production environments shall be separated to prevent unauthorized access or changes to information assets. Separation of the environments may include: stateful inspection firewalls, domain/realm authentication sources, and clear segregation of duties for personnel accessing these environments as part of their job duties. NOT STARTED 1 0 CSP IVS-08
19 [2] Architecture Network Network Segmentation Review Multi-tenant organizationally-owned or managed (physical and virtual) applications, and infrastructure system and network components, shall be designed, developed, deployed, and configured such that provider and customer (tenant) user access is appropriately segmented from other tenant users, based on the following considerations: • Established policies and procedures • Isolation of business critical assets and/or sensitive user data, and sessions that mandate stronger internal controls and high levels of assurance • Compliance with legal, statutory, and regulatory compliance obligations NOT STARTED 1 0 CSP IVS-09
20 [2] Architecture IAM IAM Framework Design A Design should be created to outline the Identity and Access Control processes to be adopted, with a focus on: • Authentication and Authorization - which covers topics like Identity Management, access to cloud resources, escalation of privileges, and access to Kubernetes clusters for both users and automated services. • Identity and Access Management as Code - which defines how the set of different groups, roles, and permissions are going to be defined as policy as code. NOT STARTED 1 0 CSP+K8S IAM-01 IAM-02 IAM-04 IAM-05 IAM-08 IAM-13
21 [2] Architecture IAM IAM Framework Implementation Ensure a proper implementation of the concepts defined in the IAM Framework Design, ensuring: • A single source of truth for principals (e.g., LDAP, Okta, Google Groups) • A single source of truth for bindings between principals and allowed roles (e.g., Vault) • RBAC in Kubernetes clusters is kept in sync (e.g., RBACSync) • Everything is defined as code so that it can fall under the standard PR/review/audit process • Access is reviewed and audit logs are stored NOT STARTED 1 0 CSP+K8S IAM-01 IAM-02 IAM-04 IAM-05 IAM-08 IAM-13
22 [2] Architecture IAM User Credentials Management Internal corporate or customer (tenant) user account credentials shall be restricted as per the following, ensuring appropriate identity, entitlement, and access management are in accordance with established policies and procedures: • Identity trust verification and service-to-service application (API) and information processing interoperability (e.g., SSO and Federation) • Account credential lifecycle management from instantiation through revocation • Account credential and/or identity store minimization or re-use when feasible • Adherence to industry acceptable and/or regulatory compliant authentication, authorization, and accounting (AAA) rules (e.g., strong/multi-factor, expireable, non-shared authentication secrets) NOT STARTED 2 0 CSP+K8S IAM-12
23 [2] Architecture IAM User Access Authorization Provisioning user access (e.g., employees, contractors, customers (tenants), business partners, and/or supplier relationships) to data and organizationally-owned or managed (physical and virtual) applications, infrastructure systems, and network components shall be authorized by the organization's management prior to access being granted and appropriately restricted as per established policies and procedures. Upon request, provider shall inform customer (tenant) of this user access, especially if customer (tenant) data is used as part the service and/or customer (tenant) has some shared responsibility over implementation of control. NOT STARTED 2 0 CSP+K8S IAM-09
24 [2] Architecture Misc Architecture Inventory of microservices Implement a method to accurately and readily determine owner, contact information, and purpose (for example, labeling, coding, and/or inventorying of devices) of each microservice composing the product offering. NOT STARTED 2 0 K8S
25 [2] Architecture Misc Architecture Secrets management Define strategy for secrets management from within a cluster (e.g., HashiCorp Vault): • How the primary-secondary model has been implemented? • How can clusters interact with Vault? • What's the access level granted to the CI/CD system? NOT STARTED 1 0 K8S
26 [2] Architecture Misc Architecture Classification / Tagging Data and objects containing data shall be assigned a classification by the data owner based on data type, value, sensitivity, and criticality to the organization. This can be implemented by a tagging strategy which identifies cloud provider assets and containers provisioned with Kubernetes. This strategy should follow a structured data-labelling standard (e.g., ISO 15489, Oasis XML Catalog Specification, CSA data type guidance). For example, yor can be used to add informative and consistent tags across infrastructure-as-code frameworks. NOT STARTED 2 0 CSP+K8S DSI-01
27 [2] Architecture Misc Architecture Alignment with Industry Standards and Best Practices The cloud environment deployments shall align with industry standards and best practices like: • CIS Benchmarks • Cloud Security Alliance controls • CAIQ/NIST guidelines (when relevant) NOT STARTED 3 0 CSP+K8S
28 [2] Architecture Misc Architecture Kafka Deployments Provide consultancy around the implementation of security controls to restrict access to Kafka topics, assessing the current setup, recommending potential improvements/requirements and defining a plan to implement those. NOT STARTED 3 0 K8S So I Heard You Want to Learn Kafka
29 [2] Architecture Misc Architecture Istio Deployments Provide consultancy around the implementation of security controls around Istio deployments, assessing the current setup, recommending potential improvements/requirements and defining a plan to implement those. NOT STARTED 3 0 K8S
30 [3] Verification Cloud Assets Inventory On-Demand Assets Inventory Solutions should be put in place to detect, identify, categorize, and visualize all the assets being deployed in the different cloud environments (e.g., via Cartography). NOT STARTED 1 0 CSP Mapping Moving Clouds: How to stay on top of your ephemeral environments with Cartography
31 [3] Verification Cloud Assets Inventory Continuous Assets Inventory Provide automatic inventory of the cloud assets (e.g., via Cartography), with integration with the security pipeline (e.g., SIEM, Jira, Slack). NOT STARTED 2 0 CSP Tracking Moving Clouds: How to continuously track cloud assets with Cartography
32 [3] Verification Cloud Assets Inventory New Assets Identification Automatic identification of new assets being deployed in the cloud environments, including: • New AWS accounts / GCP projects. • New instances of known managed services. • New instances of managed services not previously used. NOT STARTED 3 0 CSP Tracking Moving Clouds: How to continuously track cloud assets with Cartography
33 [3] Verification Cloud Deployments On-Demand Validation of Cloud Deployments Automatic validation of the configuration of live cloud deployments should be performed so to detect security misconfigurations and deviations from the Security Policies (e.g., via ScoutSuite). NOT STARTED 1 0 CSP Audit AWS Accounts
34 [3] Verification Cloud Deployments Cloud Continuous Compliance Provide continuous identification of deviations from defined Security Policies and compliance frameworks (e.g., via AWS Security Hub and GCP Security Command Center), with a process fully integrated within the security pipeline (e.g., SIEM, Jira, Slack). NOT STARTED 3 0 CSP
35 [3] Verification Cloud Deployments Public Endpoints Detection A solution should be put in place, that integrates with the existing data sources if possible (e.g., Cartography, etc.), and alerts if there are any publicly accessible endpoints that weren't already allow-listed. NOT STARTED 1 0 CSP
36 [3] Verification Cloud Deployments Independent Audits Independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligations. NOT STARTED 2 0 CSP AAC-02
37 [3] Verification Kubernetes Clusters On-Demand Validation of Clusters Automatic validation of the configuration of live Kubernetes clusters and running containers should be performed so to detect any vulnerable configuration (e.g., via kube-bench). NOT STARTED 1 0 K8S Audit Kubernetes Clusters
38 [3] Verification Kubernetes Clusters Continuous Live Validation of Clusters Provide continuous identification of deviations from defined Security Policies and compliance frameworks, with a process fully integrated within the security pipeline (e.g., SIEM, Jira, Slack). NOT STARTED 2 0 K8S
39 [3] Verification Access Control Validation IAM Verification and Sanitization - Cloud Deployments Verification of the actual state of IAM and sanitisation of cases not compliant with the Cloud Security Policy. NOT STARTED 1 0 CSP
40 [3] Verification Access Control Validation IAM Verification and Sanitization - Kubernetes Verification of the actual state of IAM and sanitisation of cases not compliant with the Cloud Security Policy. NOT STARTED 1 0 K8S
41 [3] Verification Access Control Validation User Access Reviews User access shall be authorized and revalidated for entitlement appropriateness, at planned intervals, by the organization's business leadership or other accountable business role or function supported by evidence to demonstrate the organization is adhering to the rule of least privilege based on job function. For identified access violations, remediation must follow established user access policies and procedures. NOT STARTED 4 0 CSP+K8S IAM-10
42 [3] Verification Access Control Validation Audit Tools Access Access to, and use of, audit tools that interact with the organization's information systems shall be appropriately segregated and access restricted to prevent inappropriate disclosure and tampering of log data. NOT STARTED 4 0 CSP+K8S IAM-01
43 [4] Supply Chain Security Image/Pod Security Base Images Definition Maintain standard base images and ensure all workloads use them. NOT STARTED 2 0 K8S Docker Focus Areas
44 [4] Supply Chain Security Image/Pod Security Image Hardening Ensure the set of chosen base images has been hardened to ensure: • Control groups (cgroups) are set to control amount of resources a process can use thus preventing DoS via system resource exhaustion. • Mandatory access control (MAC) is enforced to prevent undesired operations at the kernel level, by confining processes to a limited set of system resources or privileges. • Capabilities that are not required are dropped. • User namespaces are enforced to limit the maximum privileges of containers over the host. • Attack surface is reduced, for example by: - Removing users/packages/setuid-gid permissions. - Using non-root users. - Monitoring dangerous endpoints. NOT STARTED 2 0 K8S Docker Focus Areas
45 [4] Supply Chain Security Image/Pod Security Dockerfile Linting Analyze Dockerfiles to automatically enforce (e.g., via OPA/Conftest): • Whitelisting of base images. • Use of specific tags. • Use of sensitive volumes. • Squashing of images. • Absence of installation of third party software (e.g., via APK, APT, or PIP). • Deviations from Docker CIS Benchmark. NOT STARTED 3 0 K8S Docker Focus Areas
46 [4] Supply Chain Security Continuous Integration (CI) Secure Images Enforcing Enforce usage of chosen hardened base images. NOT STARTED 2 0 K8S
47 [4] Supply Chain Security Continuous Integration (CI) OS Hardening and Base Controls Each operating system (or CSP AMI) should be hardened to provide only necessary ports, protocols, and services to meet business needs and have in place supporting technical controls (e.g., file integrity monitoring, and logging) as part of their baseline operating build standard or template. NOT STARTED 3 0 CSP+K8S IVS-07
48 [4] Supply Chain Security Continuous Integration (CI) Container Images Scanning Containers should be automatically scanned for known vulnerabilities so to ensure that images meet Docker Security Best Practices. In addition pre-merge, tests should be put in place to proactively prevent the creation of images containing known vulnerabilities, unless an exception has been issued. NOT STARTED 1 0 CSP+K8S Container Scanning Strategies
49 [4] Supply Chain Security Continuous Integration (CI) Terraform Scanning Perform static analysis of Terraform templates to identify potential security issues (e.g., via tfsec, checkov, terrascan, tf-parliament, etc.). In addition, pre-merge tests should be put in place to proactively prevent builds containing files not in line with the defined Policy as Code, unless an exception has been issued, NOT STARTED 2 0 CSP Terraform Scanning
50 [4] Supply Chain Security Continuous Integration (CI) Static Validation of Cloud Deployments Automatic validation of the configuration of the Cloud deployments (i.e., Kubernetes maniftests, Dockerfiles, and Terraform recipes) should be performed so to detect any vulnerable configuration (via OPA/conftest). In addition, pre-merge tests should be put in place to proactively prevent builds containing files not in line with the defined Policy as Code, unless an exeption has been issued. NOT STARTED 2 0 CSP+K8S Compliance as Code
51 [4] Supply Chain Security Continuous Integration (CI) Github Org monitoring Monitor the Organization activity and scan for leaked secrets. In addition, analyze the Organization's history via ad-hoc queries (e.g., github-activity-counter). NOT STARTED 3 0 CSP
52 [4] Supply Chain Security Continuous Integration (CI) Secrets leaking prevention Solutions should be put in place to automatically detect secrets and credentials leaked in the code base. In addition, pre-merge tests should be put in place to proactively preventing hardcoding of secrets (e.g., yelp-detect-secrets), with the CI refusing to build/merge containing secrets unless an exception has been issued. NOT STARTED 2 0 K8S Secrets Management
53 [4] Supply Chain Security Continuous Delivery (CD) Secure Registry Definition Ensure all the workloads will fetch container images from a secure and hardened Container Registry. NOT STARTED 1 0 CSP+K8S Image Pipeline
54 [4] Supply Chain Security Continuous Delivery (CD) Protect Supply Chain Integrity Utilize a framework (like TUF, in-toto, providence) to protect the integrity of the Supply Chain. NOT STARTED 5 0 CSP+K8S Pipeline Supply Chain
55 [4] Supply Chain Security In-Cluster Controls Enforcement of Cluster Configuration Automatic validation of the configuration of the Kubernetes clusters and running containers should be performed so to detect any vulnerable configuration. This can be performed with OPA/gatekeeper. NOT STARTED 3 0 K8S Compliance as Code
56 [4] Supply Chain Security In-Cluster Controls Enforcement of Binary Authorization Security control that ensures only trusted container images are deployed on to the infrastructure. This consists of a chain of tools, Binauth Signing, Grafeas/Container Anaylsis API and Kritis. NOT STARTED 3 0 K8S Binary Authorization
57 [4] Supply Chain Security AWS-Specific Controls Restrict access to privileged AWS users Define process for managing root users for master and member accounts within the AWS Organization. NOT STARTED 1 0 CSP
58 [4] Supply Chain Security AWS-Specific Controls Deploy AWS Service Control Policies (SCPs) Service control policies (SCPs) are a type of organization policy that can be use to manage permissions within an organization. SCPs offer central control over the maximum available permissions for all accounts in the organization, and ensure each sub-account stays within the organization's access control guidelines. NOT STARTED 2 0 CSP AWS SCPs
59 [4] Supply Chain Security AWS-Specific Controls Harden the AWS Organization Perform a review of the managed services utilised within the AWS Organization, and ensure proper hardening is in place. NOT STARTED 3 0 CSP AWS Security Maturity Roadmap
60 [4] Supply Chain Security AWS-Specific Controls Restrict AWS API calls to specific IP addresses Require that both console access and API calls only originate from a set of allow-listed IP address/ranges. NOT STARTED 4 0 CSP
61 [4] Supply Chain Security GCP-Specific Controls Restrict access to privileged GCP users Define process for managing privileged users for Projects within the GCP Organization. NOT STARTED 1 0 CSP
62 [4] Supply Chain Security GCP-Specific Controls Deploy GCP Organization Policy Service The Organization Policy Service provides centralized and programmatic control over an organization's cloud resources, allowing to configure constraints across the entire resource hierarchy (similar to AWS SCPs). NOT STARTED 2 0 CSP
63 [4] Supply Chain Security GCP-Specific Controls Harden the GCP Organization Perform a review of the managed services utilised within the GCP Organization, and ensure proper hardening is in place. NOT STARTED 3 0 CSP
64 [5] Monitoring and Alerting Logging in Cloud Environments Define Security Logging Strategy in Cloud Environments A security logging and monitoring solution, with well established metrics and integrations with the SIEM, should be defined so to be able to generate security-related logs from all cloud environments (regardless of the CSP). NOT STARTED 1 0 CSP Security Logging in Cloud Environments - AWS Security Logging in Cloud Environments - GCP
65 [5] Monitoring and Alerting Logging in Cloud Environments Enable Security Logging in Cloud Environments Enable logging in each account of every cloud provider used, as defined in the Security Logging Strategy above. NOT STARTED 2 0 CSP Security Logging in Cloud Environments - AWS Security Logging in Cloud Environments - GCP
66 [5] Monitoring and Alerting Logging in Cloud Environments Define Monitoring and Alerting for Cloud Environments Define monitoring patterns and alert rules to be used for cloud environments. NOT STARTED 2 0 CSP
67 [5] Monitoring and Alerting Logging in Kubernetes Clusters Define Security Logging Strategy in Kubernetes Clusters A security logging and monitoring solution, with well established metrics and integrations with the SIEM, should be defined so to be able to generate security-related logs from all Kubernetes clusters. NOT STARTED 1 0 K8S
68 [5] Monitoring and Alerting Logging in Kubernetes Clusters Enable Security Logging in Kubernetes Clusters Enable logging in each Kubernetes cluster, as defined in the Security Logging Strategy above. NOT STARTED 2 0 K8S
69 [5] Monitoring and Alerting Logging in Kubernetes Clusters Define Monitoring and Alerting for Kubernetes Clusters Define monitoring patterns and alert rules to be used for Kubernetes environments. NOT STARTED 2 0 K8S
70 [5] Monitoring and Alerting Audit Logging Tamper Detection Higher levels of assurance are required for protection, retention, and lifecycle management of audit logs, adhering to applicable legal, statutory or regulatory compliance obligations and providing unique user access accountability to detect potentially suspicious network behaviors and/or file integrity anomalies, and to support forensic investigative capabilities in the event of a security breach. NOT STARTED 3 0 CSP IVS-01
71 [5] Monitoring and Alerting Audit Logging Change Detection Any changes made to virtual machine images must be logged and an alert raised regardless of their running state (e.g., dormant, off, or running). The results of a change or move of an image and the subsequent validation of the image's integrity must be immediately available to customers through electronic methods (e.g., portals or alerts). NOT STARTED 4 0 K8S IVS-02
72 [5] Monitoring and Alerting Runtime Detection Runtime Anomaly/Intrusion Detection File integrity (host) and network intrusion detection (IDS) tools must be implemented to help facilitate timely detection, investigation by root cause analysis and response to incidents. In particular, processes and tools shall be put in place to implement a runtime anomaly detection solution, aligned with MITRE ATTandCK for Cloud. NOT STARTED 4 0 CSP+K8S
73 [5] Monitoring and Alerting Runtime Detection Kubernetes Runtime Threat Detection A solution should be put in place to provide runtime security within Kubernetes clusters. This could be accomplished via Falco, a Kubernetes threat detection engine. NOT STARTED 4 0 K8S
74 [5] Monitoring and Alerting Runtime Detection Data Loss Prevention A solution should be put in place to detect exfiltration of data, by monitoring egress traffic. NOT STARTED 5 0 CSP
75 [5] Monitoring and Alerting Runtime Detection Manual Console Access Detection A solution should be put in place to detect and alert whenever someone makes a manual change in the CSP Console. NOT STARTED 3 0 CSP
76 [5] Monitoring and Alerting Runtime Detection Credential Compromise Detection Processes and tools shall be put in place to implement a credential compromise detection solution. NOT STARTED 3 0 CSP
77 [5] Monitoring and Alerting Alerting and Reporting Basic Reporting Logged data and anomalies shall be aggregated and reported, and visualizations shall be created to facilitate their consumption. NOT STARTED 3 0 CSP+K8S
78 [5] Monitoring and Alerting Alerting and Reporting Enhanced Reporting Fine tune reporting and dashboards. NOT STARTED 5 0 CSP+K8S
79 [5] Monitoring and Alerting Alerting and Reporting Basic Alerting Worflows to deliver notifications (e.g., StreamAlert, PagerDuty) shall be created. NOT STARTED 3 0 CSP+K8S
80 [5] Monitoring and Alerting Alerting and Reporting Enhanced Alerting Fine tune alerting. NOT STARTED 5 0 CSP+K8S
81 [6] Incidents and Remediation Containment Define Containment Playbooks Playbooks should be created to define detailed processes to follow in case of an incident, and whenever an Incident Responder will have to manually contain a compromise. NOT STARTED 4 0 CSP+K8S
82 [6] Incidents and Remediation Containment Automate Containment Automated processes should be put in place to automate the containment of (at least) the most common compromise types (e.g., quarantine an EC2, quarantine credentials, apply public access block on S3, etc.). NOT STARTED 5 0 CSP+K8S
83 [6] Incidents and Remediation Containment User Access Revocation Timely de-provisioning (revocation or modification) of user access to data and organizationally-owned or managed (physical and virtual) applications, infrastructure systems, and network components, shall be implemented as per established policies and procedures and based on user's change in status (e.g., termination of employment or other business relationship, job change, or transfer). Automated remediation shall include (but not being limited to): • remove inactive IAM roles after a pre-defined time period • remove unused privileges • disable any kind of security credentials found to have been compromised/leaked NOT STARTED 4 0 CSP+K8S IAM-11
84 [6] Incidents and Remediation Automatic Remediation Cloud Configuration Remediation Automated processes should be put in place to automate the remediation of (at least) the most common types of misconfigurations. This could be accomplished with tools like CloudCustodian. NOT STARTED 3 0 CSP
85 [6] Incidents and Remediation Automatic Remediation Automatic Correction - Drift Detection Solutions should be put in place to automatically correct deviations from known good state in Production and to restore the original configuration defined by infrastructure as code. NOT STARTED 3 0 CSP
86 [6] Incidents and Remediation Automatic Remediation Automatic Correction - IAM Drift on Cloud Deployments Solutions should be put in place to automatically correct deviations from known good state and to restore the original configuration defined by infrastructure as code (e.g., repokid, cloudtracker, aws-key-disabler, pmapper) NOT STARTED 4 0 CSP
87 [6] Incidents and Remediation Automatic Remediation Automatic Correction - IAM Drift in Kubernetes Solutions should be put in place to automatically correct deviations from known good state and to restore the original configuration defined by infrastructure as code (e.g., kubectl-who-can, rakkess/krew access-matrix, krew rbac-view) NOT STARTED 4 0 CSP
88 [6] Incidents and Remediation Forensics Define Forensic Playbooks Playbooks should be created to define detailed processes to follow in case of an incident, and whenever an Incident Responder will have to manually collect evidences. NOT STARTED 5 0 CSP+K8S
89 [6] Incidents and Remediation Forensics Forensic Evidence Collection Solutions should be put in place to automate collection of evidence after the declaration of a security incident. NOT STARTED 5 0 CSP+K8S
90 [6] Incidents and Remediation Forensics Incident Response Metrics Mechanisms shall be put in place to monitor and quantify the types, volumes, and costs of information security incidents. NOT STARTED 5 0 CSP+K8S SEF-05
91 [7] Business Continuity Disaster Recovery Plan Disaster Recovery Plan Definition A Disaster Recovery Plan should be outlined, in the evenience of the outage/failure of one or more core components of the infrastructure (e.g., failure of an AZ or Region). NOT STARTED 4 0 CSP
92 [7] Business Continuity Disaster Recovery Plan Disaster Recovery Testing Tabletop exercises should be conducted to test the effectiveness of controls put in place to mitigate an eventual failure of one or more core components of the infrastructure. NOT STARTED 5 0 CSP
93 [7] Business Continuity Disaster Recovery Plan Disaster Recovery Drill Simulation of the failure of one ore more core components of the infrastructure should be performed periodically to ensure processes, methodologies, and technical controls are in place to sustain such evenience. NOT STARTED 5 0 CSP
94 [7] Business Continuity Business Continuity Business Continuity Testing Business continuity and security incident response plans shall be subject to testing at planned intervals or upon significant organizational or environmental changes. Incident response plans shall involve impacted customers (tenant) and other business relationships that represent critical intra-supply chain business process dependencies. NOT STARTED 5 0 CSP BCR-02