Uploaded byHusseinMalikMammadli
PPTX, PDF190 views

Unlocking DevOps Secuirty :Vault & Keylock

DevOps iş təhlükəsizliyi sizi maraqlandırır? İstər developer, istər təhlükəsizlik mühəndisi, istərsə də DevOps həvəskarı olun, bu tədbir şəbəkələşmək, biliklərinizi bölüşmək və DevSecOps sahəsində ən son təcrübələri öyrənmək üçün mükəmməl fürsətdir! Bu workshopda DevOps infrastrukturlarının təhlükəsizliyini necə artırmaq barədə danışacayıq. DevOps sistemləri qurularkən avtomatlaşdırılmış, yüksək əlçatan və etibarlı olması ilə yanaşı, həm də təhlükəsizlik məsələləri nəzərə alınmalıdır. Bu səbəbdən, DevOps komandolarının təhlükəsizliyə yönəlmiş praktikalara riayət etməsi vacibdir.

Embed presentation

Download to read offline
Unlocking DevOps Security Here is where your presentation begins
01 02 03 04 Table of contents Kubernetes Security CI/CD Pipeline Security Infrastructure Security IAM in DevOps (Keycloak)
Infrastructure security involves protecting a company's physical and virtual resources (servers, network devices, cloud environments, etc.). Infrastructure Security
Infrastructure Security ● WAF - Web Application Firewall ● PAM - Privileged Access Management ● Infrastructure as Code (Terraform, Cloudformation, Terrascan) ● NSX Vmware - Network and Security Virtualization ● Configuration Management Tools (Ansible, Saltstack) ● CIS Benchmarks ● Logging of the system (filebeat, winlogbeat) ● Secret Management Tools - (Vault, AWS Secret management ) ● Least Privilege Access Implementation, MFA ● Backup and Recovery (Implement backuping system and disaster recovery plan)
Infrastructure Security WAF (Web Application Firewall) - Protects web applications from variety of application layer attacks, such as XSS(cross-site-scripting), SQL Injection.
Infrastructure Security PAM (Privileged Access Management) - Security tool for controlling and monitoring activity of privileged users. Example: Cyberark PAM, BeyondTrust
Infrastructure Security IaC (Infrastructure as Code)- the ability to provision and support your computing infrastructure using code instead of manual processes and settings Example: Terraform, Terrascan
VMware NSX | Networking and Security Virtualization Infrastructure Security
Infrastructure Security Configuration management tools - automate configurations (storage, networking etc) of servers Example: Ansible, Saltstack, Chef
Infrastructure Security CIS Benchmarks (Center for Internet Security) - Best practices to implement security. Link: https://www.cisecurity.org/cis-benchmarks
Infrastructure Security Logging of the system (Filebeat , Winlogbeat)
Infrastructure Security Secret Management Tools Example: Vault, AWS Secret Manager
Infrastructure Security Least Privilege Access Management, MFA
Infrastructure Security Backup and Disaster Recovery
● Container Isolation: Namespace () & cgroups () ● Network Policies (Calico, Cilium, NSX-T) ● RBAC on Kubernetes ● Upgrade Kube cluster ● ETCD encrypted ● Container Sandboxing ● mTLS/ ServiceMeshes - traffic between pods should be encrypted ● OPA - Open Policy Agent ● Falco ● AppArmor, Seccomp Kubernetes Security
Container Isolation: Namespace & cgroups Namespaces -> Other processes, users, filesystems Cgroups > RAM, Disk, CPU Kubernetes Security
Network Policies Kubernetes Security
RBAC on Kubernetes Combinations: 1. Role - Rolebinding → user has permissions in single namespace 2. ClusterRole - ClusterRoleBinding → user has same permissions in all namespaces 3. ClusterRole - RoleBinding → user has same permissions in multiple namespace Kubernetes Security
Upgrading Kubernetes Cluster Kubernetes Security
Encryption at rest - Encrypt ETCD Key-Value DB Kubernetes Security
Container Sandboxing - Kata Containers Kubernetes Security
gVisor gVisor is also one of the Sandbox Runtime. It is user-space kernel for containers Kubernetes Security
mTLS, Service Mesh mTLS - mutual TLS ● Mutual authentication ● Two-way (bilateral) authentication ● Two parties authenticating each-other at the same time By default in kubernetes every pod can communicate with each-other and this is done unecrypted Kubernetes Security
OPA - Open Policy Agent OPA is an open-source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack. OPA Gatekeeper Kubernetes Security
Falco Falco is a cloud native runtime security, it provides deep kernel tracing built on the Linux kernel, it describe security rules against a system and detect unwanted behavior. Automated respond to a security violations Kubernetes Security
Apparmor Kubernetes Security Profile Modes: Unconfined → Process can escape Complain → Process can complain but it will be logged Enforce → Processes cannot escape
seccomp: Seccomp (Secure Computing Mode) is a Linux kernel security feature that restricts the system calls a process can make, significantly reducing the potential attack surface for a process Kubernetes Security
CI/CD Pipeline ● Gitlab Configuration, Access Management for Users, Ldap Authentication, Branch Protection ● Gitlab SAST, SCA, Defectojot, Sonarqube, Fortify ● Dependency checks ● Docker Images and Image Vulnerability Scanning (Trivy, Clair)
CI/CD Pipeline ● Gitlab Configuration ● Access Management for Users ● Ldap Authentication ● Branch Protection ● Do not use Hard Coded Values
CI/CD Pipeline Gitlab SAST, SCA, Fortify SAST/DAST Tool, Defectojo, Vulnerability Report, Sonarqube.
CI/CD Pipeline ● Dependency management ● Prevent Supply Chain Attacks ● Use trusted, verified sources for your dependencies ● Dependencies organize in a file, use dependency management tools maven, npm or gradle ● Use centralized artifact repo
CI/CD Pipeline Dockerfile Images: Reduce image size via applying multi-stage images Always mention proper version tag for image, do not use latest. Use specific package version Do not run as root Make filesystem read only RUN chmod a-w /etc → Remove shell access RUN rm -rf /bin/* → Store image in your own private registry
CI/CD Pipeline Image Vulnerability Scanning (Trivy, Clair) Dive Tool for Image Analysing
Keycloak (IAM) • Authentication & Authorization (OpenID Connect & OAuth2) • Single Sign-On (SSO) • User federation (LDAP, AD. DB) • Social Login (Google, Facebook) • RBAC
Keycloak (IAM) As an Identity Provider in microservices
Keycloak (IAM) Keycloak + Gateway + APP
Keycloak Deployment on Kubernetes and Integration APP
Thanks!

More Related Content

PPTX
Hybrid - Seguridad en Contenedores v3.pptx
byHansFarroCastillo1
 
PDF
The Art of Cloud Native Defense on Kubernetes
byJacopo Nardiello
 
PPTX
5 minutes on security
byCloudHesive
 
PPT
CyberCrime in the Cloud and How to defend Yourself
byAlert Logic
 
PDF
CloudNativeTurkey - Lines of Defence.pdf
byKoray Oksay
 
PPTX
Security for cloud native workloads
byRuncy Oommen
 
PPTX
12 Ways Not to get 'Hacked' your Kubernetes Cluster
bySuman Chakraborty
 
PDF
Securing an NGINX deployment for K8s
byDevOps Indonesia
 
Hybrid - Seguridad en Contenedores v3.pptx
byHansFarroCastillo1
 
The Art of Cloud Native Defense on Kubernetes
byJacopo Nardiello
 
5 minutes on security
byCloudHesive
 
CyberCrime in the Cloud and How to defend Yourself
byAlert Logic
 
CloudNativeTurkey - Lines of Defence.pdf
byKoray Oksay
 
Security for cloud native workloads
byRuncy Oommen
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
bySuman Chakraborty
 
Securing an NGINX deployment for K8s
byDevOps Indonesia
 

Similar to Unlocking DevOps Secuirty :Vault & Keylock

PPTX
Kubernetes and container security
byVolodymyr Shynkar
 
PPTX
Security on AWS
byCloudHesive
 
PDF
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
bysmalltown
 
PDF
cloud security lecture abcedfghigklmnopqrstucvbnm,
byarfaouisalim
 
PDF
Policy as code what helm developers need to know about security
byLibbySchulze
 
PDF
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
byEric Smalling
 
PDF
Security hardening of core AWS services
byRuncy Oommen
 
PDF
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
byContainerDay Security 2023
 
PDF
Evolution of security strategies in K8s environments- All day devops
byJose Manuel Ortega Candel
 
PDF
Bridging The Cloud and Application Security Gaps Meetup 15102024
bylior mazor
 
PDF
The Future of Security and Productivity in Our Newly Remote World
byDevOps.com
 
PPTX
Container security
byAnthony Chow
 
PPTX
Secure development on Kubernetes by Andreas Falk
bySBA Research
 
PDF
CI / CD / CS - Continuous Security in Kubernetes
bySysdig
 
PPTX
K8s security best practices
bySharon Vendrov
 
PPTX
K8s security best practices
bySharon Vendrov
 
PDF
Trusted Application Delivery: Achieving Ultimate Security
byWeaveworks
 
PDF
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
byNico Meisenzahl
 
PPTX
AWS Spotlight Series - Modernization and Security with AWS
byCloudHesive
 
PPTX
Security for Microservices in GCP
byA2SECURE
 
Kubernetes and container security
byVolodymyr Shynkar
 
Security on AWS
byCloudHesive
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
bysmalltown
 
cloud security lecture abcedfghigklmnopqrstucvbnm,
byarfaouisalim
 
Policy as code what helm developers need to know about security
byLibbySchulze
 
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
byEric Smalling
 
Security hardening of core AWS services
byRuncy Oommen
 
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
byContainerDay Security 2023
 
Evolution of security strategies in K8s environments- All day devops
byJose Manuel Ortega Candel
 
Bridging The Cloud and Application Security Gaps Meetup 15102024
bylior mazor
 
The Future of Security and Productivity in Our Newly Remote World
byDevOps.com
 
Container security
byAnthony Chow
 
Secure development on Kubernetes by Andreas Falk
bySBA Research
 
CI / CD / CS - Continuous Security in Kubernetes
bySysdig
 
K8s security best practices
bySharon Vendrov
 
K8s security best practices
bySharon Vendrov
 
Trusted Application Delivery: Achieving Ultimate Security
byWeaveworks
 
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
byNico Meisenzahl
 
AWS Spotlight Series - Modernization and Security with AWS
byCloudHesive
 
Security for Microservices in GCP
byA2SECURE
 

More from HusseinMalikMammadli

PDF
IWD 2025 Baku - All Sessions(Biggest tech event of azerbaijan dedicated to wo...
byHusseinMalikMammadli
 
PPTX
Multi-Agent AI Systems: Architectures & Communication (MCP and A2A)
byHusseinMalikMammadli
 
PDF
How AI/LLM recommend to you ? GDG meetup 16 Aug by Fariman Guliev
byHusseinMalikMammadli
 
PPTX
From Idea to MVP: The Project Management Playbook for Startups
byHusseinMalikMammadli
 
PDF
Building Agents with LangGraph & Gemini
byHusseinMalikMammadli
 
PDF
Kaggle Dünyasına Giriş_ Sıfırdan Zirvəyə _ O. Yunus L. Imanov.pdf
byHusseinMalikMammadli
 
PDF
Google I/O Extended 2025 Baku - all ppts
byHusseinMalikMammadli
 
PPTX
Deep Learning for Computer Vision: From Fundamentals to Medical Imaging
byHusseinMalikMammadli
 
PDF
Computational Photography: How Technology is Changing Way We Capture the World
byHusseinMalikMammadli
 
PDF
AI Agents and More:Build Your AI Assistans
byHusseinMalikMammadli
 
PDF
How DO the Numbers Fool US by Sitara Aghayeva
byHusseinMalikMammadli
 
IWD 2025 Baku - All Sessions(Biggest tech event of azerbaijan dedicated to wo...
byHusseinMalikMammadli
 
Multi-Agent AI Systems: Architectures & Communication (MCP and A2A)
byHusseinMalikMammadli
 
How AI/LLM recommend to you ? GDG meetup 16 Aug by Fariman Guliev
byHusseinMalikMammadli
 
From Idea to MVP: The Project Management Playbook for Startups
byHusseinMalikMammadli
 
Building Agents with LangGraph & Gemini
byHusseinMalikMammadli
 
Kaggle Dünyasına Giriş_ Sıfırdan Zirvəyə _ O. Yunus L. Imanov.pdf
byHusseinMalikMammadli
 
Google I/O Extended 2025 Baku - all ppts
byHusseinMalikMammadli
 
Deep Learning for Computer Vision: From Fundamentals to Medical Imaging
byHusseinMalikMammadli
 
Computational Photography: How Technology is Changing Way We Capture the World
byHusseinMalikMammadli
 
AI Agents and More:Build Your AI Assistans
byHusseinMalikMammadli
 
How DO the Numbers Fool US by Sitara Aghayeva
byHusseinMalikMammadli
 

Recently uploaded

PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
The Landscape of Computer Software Development Companies
byYash Singh
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 

Unlocking DevOps Secuirty :Vault & Keylock

  • 1.
    Unlocking DevOps Security Here iswhere your presentation begins
  • 2.
    01 02 03 04 Tableof contents Kubernetes Security CI/CD Pipeline Security Infrastructure Security IAM in DevOps (Keycloak)
  • 3.
    Infrastructure security involves protectinga company's physical and virtual resources (servers, network devices, cloud environments, etc.). Infrastructure Security
  • 4.
    Infrastructure Security ● WAF- Web Application Firewall ● PAM - Privileged Access Management ● Infrastructure as Code (Terraform, Cloudformation, Terrascan) ● NSX Vmware - Network and Security Virtualization ● Configuration Management Tools (Ansible, Saltstack) ● CIS Benchmarks ● Logging of the system (filebeat, winlogbeat) ● Secret Management Tools - (Vault, AWS Secret management ) ● Least Privilege Access Implementation, MFA ● Backup and Recovery (Implement backuping system and disaster recovery plan)
  • 5.
    Infrastructure Security WAF (WebApplication Firewall) - Protects web applications from variety of application layer attacks, such as XSS(cross-site-scripting), SQL Injection.
  • 6.
    Infrastructure Security PAM (PrivilegedAccess Management) - Security tool for controlling and monitoring activity of privileged users. Example: Cyberark PAM, BeyondTrust
  • 7.
    Infrastructure Security IaC (Infrastructureas Code)- the ability to provision and support your computing infrastructure using code instead of manual processes and settings Example: Terraform, Terrascan
  • 8.
    VMware NSX |Networking and Security Virtualization Infrastructure Security
  • 9.
    Infrastructure Security Configuration managementtools - automate configurations (storage, networking etc) of servers Example: Ansible, Saltstack, Chef
  • 10.
    Infrastructure Security CIS Benchmarks(Center for Internet Security) - Best practices to implement security. Link: https://www.cisecurity.org/cis-benchmarks
  • 11.
    Infrastructure Security Logging ofthe system (Filebeat , Winlogbeat)
  • 12.
    Infrastructure Security Secret ManagementTools Example: Vault, AWS Secret Manager
  • 13.
  • 14.
  • 15.
    ● Container Isolation:Namespace () & cgroups () ● Network Policies (Calico, Cilium, NSX-T) ● RBAC on Kubernetes ● Upgrade Kube cluster ● ETCD encrypted ● Container Sandboxing ● mTLS/ ServiceMeshes - traffic between pods should be encrypted ● OPA - Open Policy Agent ● Falco ● AppArmor, Seccomp Kubernetes Security
  • 16.
    Container Isolation: Namespace& cgroups Namespaces -> Other processes, users, filesystems Cgroups > RAM, Disk, CPU Kubernetes Security
  • 17.
  • 18.
    RBAC on Kubernetes Combinations: 1.Role - Rolebinding → user has permissions in single namespace 2. ClusterRole - ClusterRoleBinding → user has same permissions in all namespaces 3. ClusterRole - RoleBinding → user has same permissions in multiple namespace Kubernetes Security
  • 19.
  • 20.
    Encryption at rest- Encrypt ETCD Key-Value DB Kubernetes Security
  • 21.
    Container Sandboxing -Kata Containers Kubernetes Security
  • 22.
    gVisor gVisor is alsoone of the Sandbox Runtime. It is user-space kernel for containers Kubernetes Security
  • 23.
    mTLS, Service Mesh mTLS- mutual TLS ● Mutual authentication ● Two-way (bilateral) authentication ● Two parties authenticating each-other at the same time By default in kubernetes every pod can communicate with each-other and this is done unecrypted Kubernetes Security
  • 24.
    OPA - OpenPolicy Agent OPA is an open-source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack. OPA Gatekeeper Kubernetes Security
  • 25.
    Falco Falco is acloud native runtime security, it provides deep kernel tracing built on the Linux kernel, it describe security rules against a system and detect unwanted behavior. Automated respond to a security violations Kubernetes Security
  • 26.
    Apparmor Kubernetes Security Profile Modes: Unconfined→ Process can escape Complain → Process can complain but it will be logged Enforce → Processes cannot escape
  • 27.
    seccomp: Seccomp (Secure Computing Mode)is a Linux kernel security feature that restricts the system calls a process can make, significantly reducing the potential attack surface for a process Kubernetes Security
  • 28.
    CI/CD Pipeline ● GitlabConfiguration, Access Management for Users, Ldap Authentication, Branch Protection ● Gitlab SAST, SCA, Defectojot, Sonarqube, Fortify ● Dependency checks ● Docker Images and Image Vulnerability Scanning (Trivy, Clair)
  • 29.
    CI/CD Pipeline ● GitlabConfiguration ● Access Management for Users ● Ldap Authentication ● Branch Protection ● Do not use Hard Coded Values
  • 30.
    CI/CD Pipeline Gitlab SAST,SCA, Fortify SAST/DAST Tool, Defectojo, Vulnerability Report, Sonarqube.
  • 31.
    CI/CD Pipeline ● Dependencymanagement ● Prevent Supply Chain Attacks ● Use trusted, verified sources for your dependencies ● Dependencies organize in a file, use dependency management tools maven, npm or gradle ● Use centralized artifact repo
  • 32.
    CI/CD Pipeline Dockerfile Images: Reduceimage size via applying multi-stage images Always mention proper version tag for image, do not use latest. Use specific package version Do not run as root Make filesystem read only RUN chmod a-w /etc → Remove shell access RUN rm -rf /bin/* → Store image in your own private registry
  • 33.
    CI/CD Pipeline Image VulnerabilityScanning (Trivy, Clair) Dive Tool for Image Analysing
  • 34.
    Keycloak (IAM) • Authentication& Authorization (OpenID Connect & OAuth2) • Single Sign-On (SSO) • User federation (LDAP, AD. DB) • Social Login (Google, Facebook) • RBAC
  • 35.
    Keycloak (IAM) As anIdentity Provider in microservices
  • 36.
  • 37.
  • 38.