Friday, February 18, 2022

Cybersecurity Compliance for dummies

What is Compliance?

The term compliance describes the ability to act according to an order, set of rules or request.

In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that organizations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant laws, policies, and regulations. Due to the increasing number of regulations and need for operational transparency, organizations are increasingly adopting the use of consolidated and harmonized sets of compliance controls. This approach is used to ensure that all necessary governance requirements can be met without the unnecessary duplication of effort and activity from resources.

What does Cybersecurity Compliance mean?

Cybersecurity Compliance involves meeting various controls (usually enacted by a regulatory authority, law, or industry group) to protect the confidentiality, integrity, and availability of data. Compliance requirements vary by industry and sector, but typically involve using an array of specific organizational processes and technologies to safeguard data. Controls come from a variety of sources including CIS, the NIST Cybersecurity Framework, and ISO 27001. 

Why is Regulatory Compliance Important?

Regulatory compliance is when businesses follow state, federal and international laws or regulations relevant to operations.

Why does it matter?

Compliance can be categorized by multiple criteria, the most important being:

Who defines and enforces it, such as governments for laws and regulations, professional associations and industry organizations for industry standards, and businesses for corporate policies. For instance, the International Organization for Standardization (ISO) develops and publishes international standards (such as ISO 9000 for quality management) that are not enforced by governments.

It addresses problems such as safety, fraud, privacy, human rights, the environment, and so on. This type of compliance can be enforced by governments, such as the Food Safety Modernization Act (FSMA) or an industry-specific standard like ISO/IEC 17025 for testing and calibration laboratories. 

Benefits of compliance

1. Security Compliance Helps You Avoid Fines and Penalties

2. Security Compliance Protects Your Business Reputation

3. Security Compliance Enhances Your Data Management Capabilities

4. Security Compliance Puts You in Good Company i.e gets you a good name.

5. Security Compliance Yields Insights That Promote Operational Benefits

6. Effective Security Compliance Enhances Company Culture

7. It Supports Access Controls and Accountability

Thursday, February 10, 2022

Azure Policy: Kubernetes pod security baseline

 When you deploy Azure Kubernetes Service (AKS) in an enterprise context, you will probably be asked about policies that can be applied to AKS for compliance and security. In this post, we will discuss Azure Policy for Kubernetes briefly and then proceed to explaining a group of policies that implement baseline security settings.

Azure Policy for Kubernetes

To apply policies to Kubernetes, Microsoft decided to integrate their existing Azure Policy solution with Gatekeeper v3. Gatekeeper is an admission controller webhook for Open Policy Agent (OPA). An admission controller webhook is a piece of software, running in Kubernetes, that can inspect incoming requests to the Kubernetes API server and decide to either allow or deny it. Open Policy Agent is a general solution for policy based control that goes way beyond just Kubernetes. It uses a language, called rego, that allows you to write policies that allow or deny requests. You can check the gatekeeper library for examples.

Although you can install Gatekeeper v3 on Kubernetes yourself, Microsoft provides an add-on to AKS that installs Gatekeeper for you. Be aware that you either install it yourself or let the add-on do it, but not both. The AKS add-on can be installed via the Azure CLI or an ARM template. It can also be enabled via the Azure Portal. Azure Policy for Kubernetes supports the following cluster environments:

The following limitations apply only to the Azure Policy Add-on for AKS: