Security & Compliance Flashcards
What are some strategies to help you strengthen your workload security?
Implement a strong identity foundation - use the principle of least privilege and centralized identity mgmt to set appropriate authorization levels and access policies
Implement traceability - monitor, audit, and alert on changes; correlate events with system metrics to automate investigation and action
Apply security at all layers - use a defense in depth approach with multiple security controls, at all layers (i.e. edge of network, VPC, load balancing, every instance and compute service, OS, application, code)
Automate security best practices, especially when handling sensitive data - take humans out of process by automating deployment and other admin tasks
Protect data in transit and at rest
Prepare for security events - monitor your applications and infrastructure, build automated scanning into your CI/CD pipelines
What areas does security in the cloud cover?
IAM
Detection (threat, misconfiguration, unexpected behaviors)
Infrastructure protection (compute, network)
Data protection
Incident response
Compliance
What are questions to ask around IAM?
How do you manage identity and access for your users?
Do you use any identity providers?
Do you have any processes in place for granting and tuning access controls (think least privilege, use groups/roles as much as possible, use audit logs to regularly monitor/alert on privileged access activity)?
How does GC help with identity & access mgmt?
The IAM service allows you to define “who” has “what access” (role) to which resources. Organization policies allow you to establish more granular control by specifying constraints on how you configure resources you have access to. You can also control access to resources based on specific attributes, such as IP address and resource time. GC also has intelligence around policies, so it can automatically notify you of any potentially overly permissive access.
You can use Cloud Audit logs to detect any changes to IAM policies and any access to service accounts.
Cloud Asset Inventory allows you to track metadata about your assets (resources or policies) over time. You can set up alerts to be notified in RT about any changes.
IMOW… helping with access mgmt is a key task that showed up on nearly every SOW when I was in PS, whether the customer was existing or new. Customers often ask whether they can authenticate to Splunk Cloud using their identity providers to avoid having more setup steps. They also often use default roles that are too broad and against company policies; ask for ways to manage this.
What is the difference between SSO and identity federation?
SSO is the concept of allowing users to access many applications within an organization with a single login.
Federated identity is the concept of allowing users access to any applications that have established trust with an IdP, i.e. Google, Facebook, Apple.
What are best practices around identity & access mgmt?
- Define roles using the principle of least privilege. Grant Owner role only when needed. Be careful about attaching users to service accounts.
- Attach roles to groups instead of individual users.
- Regularly audit access
- Use VPC Service Controls and establish security perimeters around API-based services.
How does GC help with data security?
GC provides data security controls in three areas: encryption, storage, and databases.
What are questions to ask around data security?
What types of retention policies do you have? Does all of your data need to be retained for that period of time (think weighing data storage costs and compliance)?
What is meant by a hardened OS image?
A virtual image that’s been stripped of all unnecessary software to reduce the possibility of security attacks.
How does GC help with securing compute?
Shielded VMs
What are HSMs?
Hardware security modules are computing devices that manage cryptographic functions and digital key storage.
