The CNCF Security Technical Advisory Group (TAG) has just released a refreshed Cloud Native Security Whitepaper v2 to help educate the community about best practices for securing cloud native deployments. The whitepaper intends to provide organizations and their technical leadership with a clear understanding of cloud native security, its incorporation in lifecycle processes, and considerations for determining the applicability of standards such as NIST SSDF. The first version of the whitepaper was released on Nov 18, 2020. The paper has been translated into different languages and an audio release of version 1 can be found here.
“In the past 18 months, the security industry and our group has evolved with attacks on supply chain and ransomware in the limelight. We received excellent feedback on improvements to the first version of the paper as part of a months-long retrospective process. Our group has also grown with multiple supplementary material like Secure Supply Chain Security Whitepaper, Cloud Native Security Map and Lexicon published since the first version of this paper. As a sign of the vibrant community, just like the first version, the people across the community brought their passion, skill sets and expertise to address end user feedback and growing pains in the Cloud Native Security space” said TAG Security Tech Lead Pushkar Joglekar.
While the large majority of the original paper, stands the test of time, this refreshed version demystifies security assurance and compliance by walking through specific use-cases of ransomware incident handling and how to secure financial institutions under EU regulations. Feedback from readers of the original paper is also addressed through inclusion of these new sections:
- Secure Defaults – Cloud Native 8: A high level guidance on implementing cloud native apps that are secure by default.
- SSDF v1.1 mapping: Maps the NIST SSDF practices and tasks to Cloud Native Security Application Lifecycle
- ATT&CK Threat matrix for Containers: Summary of how the threat matrix provides a structure towards applying guidance described in this paper
- Guidance on how to share feedback: Instructions on how to share feedback on the paper is now part of the paper with a short summary on how feedback was collected and addressed after publication of the first version.
The CNCF Security TAG aims to facilitate a vendor neutral collaboration to discover and produce resources that enable secure access, policy control, and safety for operators, administrators, developers, and end-users across the cloud native ecosystem. If you are interested in participating in the Security TAG, check out the Charter for more information and please come say “Hi!” on #tag-security channel on CNCF Slack.
The whitepaper is available on GitHub.