Skip to content
/ cc-aks-compliance Public
forked from tigera-cs/compliance-workshop-CC

This workshop explores how to setup an AKS cluster to Calico Cloud and set it up for compliance requirements for SOC 2 to secure workloads and generate reports.

4 stars 6 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

tigera-solutions/cc-aks-compliance

BranchesTags
 
 

Repository files navigation

Calico Cloud SOC2 Compliance Workshop

Calico Cloud

Welcome

The intent of this workshop is to provide an introduction to the Calico features that support SOC 2 compliance.

SOC 2 Trust Services Criteria

SOC 2 is based on five overarching Trust Services Criteria (TSC): security, availability, processing integrity, confidentiality, and privacy. Specifically, the security criteria are broken down into nine sections called common criteria (CC):

  • CC1: Control Environment
  • CC2: Communication and Information
  • CC3: Risk Assessment
  • CC4: Monitoring Activities
  • CC5: Control Activities
  • CC6: Logical and Physical Access Controls
  • CC7: System Operations
  • CC8: Change Management
  • CC9: Risk Mitigation

SOC 2 compliance rules mapping to Calico capabilities

Running Kubernetes clusters often presents challenges for CC6 (logical and physical access), CC7 (systems operations), and CC8 (change management) when trying to comply with SOC 2 standards.

Control# Requirement(s) Calico control(s)
CC 6.1, 6.6, 6.7, 6.8 Implement logical access security measures to authorized systems only, implement controls to prevent or detect and act upon introduction of malicious software
  • Calico can control ingress and egress between microservices and external databases, cloud services, APIs, and other applications.
  • Calico can apply least privilege access controls to a cluster, denying all network traffic by default and allowing only those connections that have been authorized.
  • Calico can encrypt data in transit for added protection against data tampering
  • Calico can organize all SOC 2 endpoints in one or more namespaces.
  • Calico configures the namespace for default-deny and whitelists all ingress and egress traffic
CC 7.1 Monitor and detect configuration changes and capable of vulnerability management
  • Calico continuously monitors and logs all workloads for compliance against existing security policies
  • Calico alerts on any configuration changes that may impact existing security policies
  • Calico scans containers images for vulnerabilities and assigns pass, warn, or fail label to automatically deploy or block the image from deployment
CC 7.2, 7.3, 7.4 Monitor systems and components for anomalies and indicators of compromise
  • Calico anomaly and threat detection capabilities:
  • Monitor and analyze threats
  • Automatically quarantine compromised workloads
  • Review network flow logs for statistical and behavioral anomalies
CC 8.1 Change Management: Authorize, Track, Approve changes to the system
  • Calico records all policy changes and provides a change history for audit
  • Calico provides granular control over who is authorized to make changes to policies,endpoints, and namespaces

Workshop Objectives

We will be focusing on securing a microservices based application and then providing audit and reporting of the controls that are put in place adhering to SOC2 controls. To accomplish this we will focus on these areas:

SOC2

SOC2 Description Criteria

White Papers

SOC2

About

This workshop explores how to setup an AKS cluster to Calico Cloud and set it up for compliance requirements for SOC 2 to secure workloads and generate reports.

Resources

Readme
Activity
Custom properties

Stars

4 stars

Watchers

2 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Shell 100.0%