This is the recommended approach to multicloud security for the kdb+ deployment to the different cloud providers in their managed Kubernetes offerings (GKE, EKS, AKS) in a secure and repeatable manner.
Secure application software delivery and maintenance¶
KX packages and delivers its software application as a compressed/secure bundle through approved communications channels.
Cloud provider compliance manager self-service access¶
Each public cloud provider provides access to a compliance manager, a self-service portal to access compliance-related documentation and artifacts that can be provided to security teams and compliance auditors.
Also a wealth of compliance resources including best-practices configuration documentation and access to the Cloud Audit Academy
Compliance questions and answers¶
- Is your solution compliant with [Program X]?
Context is required to answer this question. In all cases, customers operating in the cloud remain responsible for complying with applicable laws and regulations, and it is up to the customer to determine whether the cloud-provider services meet applicable requirements for the business.
To help make this determination, as mentioned above, each public cloud provider operates a compliance-manager portal across multiple industries and jurisdictions to inform and support their customers.
- Compliance certifications and attestations (evidence showing that something is true) are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance.
- Laws and regulations functionality (such as security features), enablers, and legal agreements to support customer compliance. Requirements under applicable laws and regulations may not be subject to certification or attestation.
- Compliance alignments and frameworks include published security or compliance requirements for a specific purpose, such as a specific industry or function. They provide functionality (such as security features) and enablers (including compliance playbooks, mapping documents, and whitepapers) for these types of programs.
Requirements under specific alignments and frameworks may not be subject to certification or attestation; however, some alignments and frameworks are covered by other compliance programs. For example, NIST guidelines can be mapped to applicable FedRAMP security baselines.
Banking security Q&A and deployment patterns¶
We recommend you review the Consensus Assessments Initiative Questionnaire (CAIQ) examples online for all the major public cloud providers, and their related products and services. These can be found as above in the compliance manager self-service portals.
Each provider has hundreds of questions specific and unique to it, which change daily, and product/service within each compliance program, so this is the best reference point for quick answers and common deployment patterns to empower the team.
Banking security controls & risk teams will from their experience provide you with a compliance checklist to answer, based on these standards. Many of the answers have already been answered by the cloud providers for their products/services and have had external validation.
The Consensus Assessments Initiative Questionnaire (CAIQ) is a survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess the security capabilities of a cloud service provider. The CAIQ was developed to create commonly-accepted industry standards to document the security controls in infrastructure-as-a-service, platform-as-a-service and software-as-a service applications.
The CAIQ contains a series of yes-or-no control-assertion questions that can be customized to fit an individual cloud customer's needs. The CAIQ is intended to be used in conjunction with the CSA Guidance and the CSA Cloud Controls Matrix (CCM). The CAIQ is part of the CSA governance, risk management and compliance stack.
The questionnaire is designed to support organizations when they interact with cloud providers during the cloud providers' assessment process by giving organizations specific questions to ask about the providers operations and processes.
Cloud providers can use the CAIQ to outline their security capabilities and security posture to customers, publicly or privately, in a standardized way using the terms and descriptions considered to be best practices by the CSA.
Completing the CAIQ questionnaire usually takes a few hours and is considered only a first-level screening process; more intensive provider review processes are advised.
Sharing the data/CAIQ results is done through the CSA’s online registry for security controls, the Security, Trust and Assurance Registry (STAR), using STARWatch, a software-as-a-service application developed by the CSA. The application gives organizations a centralized way to manage and maintain the integrity of the vendor review and assessment process.
In addition, STARWatch includes access to more than 200 CSA STAR assessments to help organizations save time with research so they can make business decisions more quickly. CSA STAR is a program for security assurance in the cloud. STAR encompasses key principles of transparency, rigorous auditing and harmonization of standards.
STARWatch delivers the content of the CSA’s de-facto standards Cloud Control Matrix and the CAIQ in a database format so users can manage compliance of cloud services with the CSA best practices.
STARWatch is aimed at providing cloud users, providers, auditors and security providers assurance and compliance on demand. The STARWatch application enables the sharing and peer-reviewing of cloud services security assessments.
The CAIQ was designed to help with one of the leading concerns companies have when moving to the cloud: the lack of transparency into what technologies and tactics cloud providers implement, relative to data protection and risk management, and how they implement them.
The CAIQ questionnaire can be customized to suit the requirements of each cloud customer and used to help organizations build the necessary assessment processes for engaging with cloud providers.
Organizations can use the information from the CAIQ to build a robust RFP (request for proposal) and verify that the answers the vendor gives during the RFP review interview are valid. Using the CAIQ, a provider can demonstrate the extent of its controls, as well as for a standard response to an RFP.
The CSA STAR program consists of three levels of assurance (self-assessment, third-party certification and continuous auditing) based on:
- the CAIQ
- the CSA Cloud Controls Matrix (CCM)
- the CSA Code of Conduct for GDPR
Organizations should use the CAIQ as a first-level filter, because providers are only asked to provide responses with yes-or-no answers. After they pass that test, businesses should ask vendors to provide more specific demonstrations on controls that matter most to them.
Companies should discuss their requirements and priorities with candidate cloud providers to ensure that the security controls the vendors have in place meet their needs. These discussions should be ongoing because the needs of the business are always changing.
The CCM gives organizations the necessary structure, detail and clarity around cloud security. CCM is currently considered a de-facto standard for cloud security assurance and compliance.
The CSA Code of Conduct for GDPR Compliance was created by industry experts and representatives from the European Union’s national data protection authorities to help companies adhere to the EU’s GDPR data-privacy regulation. The CSA’s Code includes all the requirements a cloud service provider has to satisfy to comply with the GDPR.
In addition, the STAR program’s publicly accessible registry provides a way to document the security and privacy controls provided by popular cloud-computing offerings. Organizations should use this registry to assess cloud providers and security providers, as well as advisory and assessment services firms so they can make the best procurement decisions.
Open-source and commercial security tooling¶
There are many open-source and commercial security tools being used as a common pattern within banking. Here are the top tools and links for additional research.
- Cloud Custodian
A rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well-managed cloud infrastructure, that is both secure and cost optimized.
- Check Point CloudGuard
The industry’s only complete family of cloud-security solutions focused on advanced threat prevention and keeping enterprise cloud applications, infrastructure and data protected from Gen V cyber-attacks.
- Palo Alto Network Prisma Cloud
Enables an integrated set of security capabilities across your entire cloud native technology stack, including apps, data, network, compute, storage, users and PaaS services.
Maintains consistent security and compliance control across any cloud native technology and identify and prevent threats and anomalous activities.
Automates security across the entire application lifecycle, and implement frictionless security controls as part of your CI/CD pipelines.
Leverages continuous vulnerability intelligence and automated risk prioritization across your entire cloud-native stack and throughout the development lifecycle.
Investigates any resource and quickly determines the root cause of misconfiguration.
- Aqua Security
Aqua’s Cloud-Native Security Platform provides full visibility into container activity, allowing organizations to detect and prevent suspicious activity and attacks, providing transparent, automated security while helping to enforce policy and simplify regulatory compliance.
- HashiCorp Vault
Secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.
Development environment reference architecture¶
Minikube quickly sets up a local Kubernetes cluster on macOS, Linux, and Windows. We proudly focus on helping application developers and new Kubernetes users.
Skaffold handles the workflow for building, pushing and deploying your application, allowing you to focus on what matters most: writing code.
ChartMuseum is an open-source Helm chart repository written in Go (Golang), with support for cloud-storage backends, including Google Cloud Storage, Amazon S3, Microsoft Azure Blob Storage, Alibaba Cloud OSS Storage and Openstack Object Storage.
Sandbox reference architecture¶
A sandbox environment is usually air-gapped with little to no access to corporate on-premise.
There are different secure remote connectivity options into the environment for KX staff.
A dedicated Bastion Host, which has tools installed and accessed using SSH and acts as a jumphost into the sandbox network.
A dedicated VPN solution that the customer might use.
If using Google Cloud we can leverage IAP (Identity-Aware Proxy) to access the cloud resources.
Production reference architecture¶
There are hundreds of software options for cloud-native solution architectures. Above are the tools we most often see in use by banking customers.
Training and certification¶
- AWS re:inforce
Includes hundreds of technical sessions, a keynote featuring AWS security leadership, and access to cloud security experts in the Security Learning Hub.
- AWS re:invent
Hear directly from AWS leaders as they share the latest advances in AWS technologies, set the future product direction, and motivate you through compelling success stories.
- Google Cloud Next
Insights from Google Cloud executives, focusing on transformational efforts across industries working with customers and ecosystem partners.
- KubeCon + CloudNativeCon
The Cloud Native Computing Foundation’s flagship conference gathers adopters and technologists from leading open source and cloud native communities.