...
- Principle of least privilege: Provide edge node components and external interfaces only the required access and deny everything else.
- Defense in Depth: Multi layered defense techniques to delay or prevent a cyber attack in the industrial network
- Risk Analysis: Practice used to address risks related to production infrastructure, production capacity etc
...
OpenHorizon-AnyLog Integration.drawio original draw.io file for any modifications if needed.
Deployment Design
TODO
User Experience
Deployment UX
- Should we consider k8s mode of deployment or pure-containerized mode of deployment? KubeArmor works best with k8s mode of deployment and is the recommended mode. Having said that, the previous integration/demo/POC done with OH was in pure-containerized mode.
- How would the deployment of KubeArmor on the target edge node happen? Will it be deployed as a separate workload with its own control plane or will it be integrated into the same control plane as that of OH?
- There is a value in keeping KubeArmor and associated tooling decoupled from Anax and OH Management Hub. This would allow independent updates and essentially the security should be considered as one more addon from the service provider side of things.
- The real challenge here is how would OH framework allow extensions to be built to integrate third party tooling?
- Ship the hardening policies along with the KubeArmor installation.
Day2 Operations UX
- How would the policy add/delete/list/modify work?
- How would the recommended policies be shown to the user?
- How would the SIEM tools integrations be done and at what point?
- How would upgrade of KubeArmor be handled?
Use-cases to consider
<TODO: Every security use-case could have a corresponding set of tags that could indicate the fulfilled compliance control, or attack framework (for e.g., MITRE) control fulfilled.>
Observability & Monitoring use-cases
Security Event Monitoring:
- File Integrity Monitoring: Any changes to the systems folders should be monitored/audited.
- Reverse Shell execution
- Use of security sensitive primitives: setuid(), setguid(),chmod(),chown(),
- Updates to root certificates folder
- Use of
kubectl exec
to gain shell access in the pod - Privilege escalation attempted
- Monitor for external networks access
- Suspicious IP detection (for e.g. using Feodo Blocked IP List)
Application Performance Monitoring:
- Excessive CPU usage: >90% of CPU used consistently for > 2 mins
- Excessive Memory usage: >80% of allocated memory used
- ...
Protection: Hardening use-cases
...
Node Hardening:
- Protect systems folders: Do not allow updates to kernel modules on the host.
- Prevent root certificates updates
Workload/Pod/Container Hardening:
- Protecting workload secrets
- Protecting sensitive assets mounted using volume mount points
Protection: Enforcing principle of least privilege
...
- Network Segmentation and enforcing least privilege n
Protection: Enforcing Network Protection
TODO
Workload Forensics
TODO
charisse lu Should we create security guidelines for workload creators?
- How to extend Anax cli and integrate with karmor cli? Can we expect the user to have two clis? Does Anax cli offer pluggable interfaces?
- The policy add/delete/update/list should be handled through this cli.