A deep dive into integrating security assessments into Azure Kubernetes Service.
The Agile Manifesto's core principles still resonate. These promote adaptive planning and continuous improvement.
- LEAN
- SAFe
- SCRUM
- XP
- KANBAN
- Feature Driven Development
- Accountability gaps
- Too Many Rituals
- Scope Creep
- Quality Testing is an Afterthought
- Security as a Blackbox
- Frameworks are guidelines for best practices.
- NIST Cybersecurity Framework 2.0
- AI Risk Management Framework
- Regulations are mandatory legal requirements.
- U.S. HIPAA
- U.S. FFIEC
- EU GDPR
- EU AI ACT
- EU DORA
- Audit
- Formal & structured
- Independent
- Compliance-focused
- Risk-oriented
- Provides assurance and recommendations for improvement.
- Assessment
- Flexible & adaptable
- Internal or external
- Focus on improvement
- May not be compliance-driven
- Offers insights into IT optimization and alignment.
- Access Control
- IT Security
- Data Backup & Recovery
- Change Management
- Testing Internal Controls
- Documentation
SOx 404 governance mandates stringent controls. Areas include access control, IT security, data handling, and testing.
- Risk Management
- Identified vulnerabilities
- Risk assessment coverage
- Mitigation controls
- Incident Response
- Mean time to detect
- Mean time to respond
- Incidents handled
- Business Continuity
- Recovery Time Objective
- Recovery Point Objective
- DR test success rate
KPIs measure the effectiveness of controls. Focus areas are risk, response, and recovery.
- Planning: Define goals, requirements, and security considerations.
- Coding: Developers write secure code.
- Build: Integrate security scans.
- Test: Automated security tests are run.
- Release: Code is prepared for deployment with compliance checks.
- Deploy: Applications are deployed securely.
- Operate: Application runs with continuous monitoring.
Security is integrated into every phase. From planning to operation, it's a continuous loop.
- Secure Configuration: Harden AKS clusters using CIS benchmarks and Azure Security Center.
- Identity and Access: Implement RBAC and integrate with Azure AD for authentication.
- Network Security: Use Network Policies and Azure Firewall for traffic control.
- Monitoring and Logging: Collect and analyze security logs with Azure Monitor and Sentinel.
- FIPS 205: SLH-DSA (SPHINCS+)
- FIPS 204: ML-DSA (CRYSTALS-Dilithium)
- FIPS 203: ML-KEM (CRYSTALS-Kyber)
Azure is preparing for post-quantum threats. It is adopting new cryptographic standards.
- Shift-Left Security: Integrate security early in the development lifecycle.
- Automate Compliance: Use tools to automate security checks and reporting.
- Continuous Monitoring: Continuously monitor and improve security posture.
DevSecOps on AKS ensures security and compliance. It automates processes and improves continuously.
- Microsoft Azure for Financial Services
- Microsoft's Quantum-Resistant Cryptography
- Azure Kubernetes Service
- What is AKS?
- NIST OSCAL Resources
Formal Thanks to SFSSUG at the Microsoft LATAM Office.