Author: Tiexin Guo

How We Used to Handle Security

A few years ago, I was working on a completely new project for a Fortune 500 corporation, trying to bring a brand new cloud-based web service to life simultaneously in 4 different countries in the EMEA region, which would later serve millions of users.

It took me and my team two months to handle everything: cloud infrastructure as code, state-of-the-art CI/CD workflows, containerized microservices in multiple environments, frontend distributed to CDN, and tests passing in the staging environment. We were so prepared that we could go live immediately with just one extra click of a button. And we still had a whole month before the planned release date.

Kubernetes (K8s), an open-source container orchestration system, has become the de-facto standard for running containerized workloads thanks to its scalability and resilience.

Although K8s has the capabilities to streamline deployment processes, the actual deployment of applications can be cumbersome, since deploying an app to a K8s cluster typically involves managing multiple K8s manifests (like Deployment, Service, ConfigMap, Secret, Ingress, etc.) in YAML format. This isn't ideal because it introduces additional operational overhead due to the increased number of files for one app. Moreover, it often leads to duplicated, copy-pasted sections of the same app across different environments, making it more susceptible to human errors.

In my previous tutorials, we looked at Azure Key Vault and Google Secret Manager:

• How to Handle Secrets With Azure Key Vault: In this piece, we had a look at the Zero Trust security strategy, how to put it into practice to secure applications and data, and how secrets managers can help to achieve the Zero Trust goal. We also included a tutorial on Kubernetes/SPC to use secrets from secret managers.
• How to Handle Secrets With Google Secret Manager: In this piece, we did a tutorial on using secrets from secret managers in your CI workflows (GitHub Actions).

If you haven't read them yet, please give them a quick read, because even if you are not an Azure or a GCP user, they still might be worth reading.

Let's start with a story: Have you heard the news about CircleCI's breach? No, not the one where they accidentally leaked some customer credentials a few years back. This time, it's a bit more serious.

It seems that some unauthorized individuals were able to gain access to CircleCI's systems, compromising the secrets stored in CircleCI. CircleCI advised users to rotate "any and all secrets" stored in CircleCI, including those stored in project environment variables or contexts.

Quick Introduction to the Software Supply Chain

Recently, “software supply chain attack” has been breaking all the news headlines. One infamous example is the SolarWinds attack or the 2020 United States federal government data breach. In fact, according to a 2021 report from Gartner:

By 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.

In my previous articles, we discussed what Policy-as-Code is, why we need it, and how to use the Open Policy Agent (OPA) tool. If you haven’t read the introduction yet, please take some time to read it first here. 

Following the OPA introduction, I started the first part of an OPA/Kubernetes integration tutorial, showing how to use OPA to enforce policies inside a Kubernetes cluster. Here’s the link to the first part of the tutorial.

As Kubernetes has become the de-facto platform to orchestrate containerized workloads, more users have begun to look for ways to control and secure their Kubernetes clusters.

Hardening is a thing for sure, but what about enforcing policies inside a cluster? This is a completely different task that requires a different set of tools.

Modern infrastructure and methodologies bring us enormous benefits, but, at the same time, since there are more moving parts, there are more things to worry about: how to control access to your infrastructure? How to control access between services? Who can access what? Etc.

There are many questions to be answered, including policies: a bunch of security rules, criteria, and conditions. Examples:

1. What Is BOM?

BOM stands for Bill of Materials, which has been used for quite a long time by the automotive industry as a method for the supply chain management.

You might have heard of the term if you are familiar with the automotive industry. Even if you are not, don’t worry.

Part 1 connected to this article focuses on users, groups, and policy automation with Terraform. If you haven't read it yet, it's called Managing AWS IAM With Terraform: Part 1.

Following the first part, in this tutorial, we will cover:

In my previous article, AWS IAM Security Best Practices, we covered a bunch of theoretical best practices on AWS IAM. In this tutorial, we will cover the basics of managing AWS IAM using Terraform.

Side note: this article assumes you already understand what Terraform is and know the basics of it. If not, start with a Terraform official tutorial.

We'll see: 

What Is the DMCA?

The DMCA is short for the Digital Millennium Copyright Act.

On Oct 12, 1998, the US Congress passed the DMCA, which amended U.S. copyright law to address important issues of the relationship between copyright and the internet.