➕️ Compile some cloud native security recs

slides/shared/cloud-native-security.md

@@ -0,0 +1,103 @@
+# Cloud Native Security
+
+*Non-exhaustive list of best practices for Cloud Native Security.*
+
+---
+
+## "Less is more"
+
+- Less code (build vs buy; Pareto 80/20)
+
+- Less permissions (fine-grained vs blanket)
+
+- Less dependencies (also a trade-off)
+
+*Note: this is not at all specific to Cloud Native.*
+
+*But security must be addressed at all layers of the stack!*
+
+---
+
+## Managed platforms
+
+- Operating Kubernetes is complex
+
+- Use a managed platform
+
+  (cloud provider or service provider)
+
+- Restrict control plane access
+
+- TLS cert management (check "PKI the wrong way")
+
+- Enable Pod Security Settings
+
+- Restrict access to cloud instance metadata
+
+---
+
+## K8S upgrades
+
+- ALWAYS ALWAYS ALWAYS upgrade
+
+  (do you prefer your maintenance to be planned or unplanned?)
+
+- Upgrades can be smooth if:
+
+  - we're using a good, managed platform
+
+  - we stay away from beta APIs
+
+---
+
+## Isolate compute
+
+- Resource requests and limits for ALL workloads
+
+- Taints, tolerations, affinities where necessary
+
+- Secure container runtime if necessary
+
+---
+
+## Isolate network
+
+- Network policies
+
+- Advanced policies (check Cilium)
+
+---
+
+## Secret management
+
+- Secrets vs ConfigMaps
+
+- Store secrets in...:
+
+  - KMS
+  - External Secrets
+  - Sealed Secrets
+  - Vault
+  - Kamus
+  - SOPS
+  - ...
+
+- Encrypt secrets at rest if necessary
+
+---
+
+## AuthN & AuthZ
+
+- Authenticate users centrally
+
+  (e.g. OIDC, certificates)
+
+- Have a clear path for access revocation
+
+- Fine-grained RBAC
+
+---
+
+## Software supply chain
+
+*I'm not an expert in that field but this should be on your radar!*