 So, an introduction to cloud native security. It's the maintainer track has the agenda for the presentation. We doing a quick introductions to security and I will be discussing roadmap activities and initiatives and sharing information on how you can get involved. My name is Radna Chital. I'm an executive for cloud security at a financial organization called TIAA. I'm also a technical lead for CNCF security team and research fellow for cloud security Alliance. Thank you. Andres, do you want to introduce yourself? Hi there. This is Andres Vega along with the Radna. I'm also a technical leader for the CNCF special interest group for security. And my day job is as a product line manager for product security at VMware for VMware Tanzu. And we also have Ash Narkar. Hi Andres. My name is Ash Narkar. I'm a software engineer at Styra. I'm one of the maintainers of the open policy agent. And I'm also one of the team leads at SIG security. Radna, so take it. Thank you, Andres. So introduction to CNCF SIG security. What is SIG security? Cloud security is complex. The ecosystem consists of multiple layers of infrastructure, platform components, service mesh, microservices, and so on and so forth. To add to that, there's a constant evolution and ever changing landscape of tools and technologies. This makes for a very complex system to understand and manage for cloud consumers. No complexity is the enemy of security. Threat landscape constantly is evolving in the space of supply chain security, application code vulnerabilities, container breakouts, etc. Not having all the visibility as well as appropriate security tools and integrations into the different layers of cloud native projects. Leaves cloud consumers with a sense that cloud native ecosystem is too complex and is hard to understand. In terms of operating it securely continuously. But that's where SIG security comes into play. SIG security is an open source community that is made up of cloud native security enthusiasts. We want to make it simple to understand how to secure a cloud native ecosystem. And provide best practices, tools, policies, and best practices guidance to the community. You know, cloud native services are deployed in heterogeneous environments and having security controls across the ecosystem requires security policies be deployed in code. So in order to facilitate some of these guidances, as well as help the community. CMCF has major focus areas to support the community. And some of those areas are provide guidance for protection of heterogeneous distributes distributed fast changing systems while providing access to tools and technologies. And provide common understanding as well as common tools for developers to build security into the services as well as meet security and compliance requirements continually. At the same time provide detection tools common audit criterias about the cloud native ecosystem to the community so that they can maintain a sense of security throughout the lifecycle of the services. There are a number of resources that SIG security has published. They provide use cases and personas. At the same time, there are published best practices, patterns, architecture patterns and anti patterns as well. Several other security artifacts like security scenarios, network configurations, service orchestration, application security guidance, etc is also published. Architectures and patterns for providing secure access. In addition to all of this security assessments are specific proposals and projects and several other resources, which can be found on some of the links that are provided in the slide. There's a blog post where there's information about initiatives and any releases or assessments being conducted. We also have a GitHub presence where all the issues are logged and progress is made on those issues by the community and volunteers of SIG security. There's a Slack channel where you can post questions about any specific security issues you may be running in your implementation that anyone in the community has faced could potentially help you with that. We do have regular meetings, weekly meetings in the United States on Wednesdays at 10am GMT-7 and by weekly meetings in the APAC time zone as well, which is on Tuesdays at 1pm GMT plus 11 hours. We potentially will be starting an EU based time zone meeting as well based on the interests of the community and engagement and requirements from the EU community. So please feel free to attend any of these meetings to learn more about SIG security and all the initiatives. I just want to share with you that we just recently got an award for most effective DevSecOps team of 2020 by DevSecCon. And that is Brandon Lum, one of our technical leads who's receiving the award on behalf of the community. So let's talk a little bit about the roadmap and initiatives of SIG security in 2021. Here to our GitHub page where the roadmap is published, I just am showing a snapshot of the same on the screen. There are a number of initiatives which are being actively worked on and several are being still explored. And there are proposals in the pipeline as well. And they're aware of the fact that SIG security published a cloud net as security by paper earlier this year, which was read by the wider community and we'll be talking a little more about that in the following slides. There are security assessment projects in the queue. There is a policy working group where there's much work going on at the same time. There are future projects in the pipeline like serverless security, etc, which will be getting more into in the following slides. So with that, I would like to hand over to Ash. Ash, please take it away to continue the conversation about the SIG security by paper. Thank you. So now we'll talk about the cloud native security by paper. So what is the cloud native security by paper. So it's a SIG security effort to ensure the cloud native community has access to information about building, distributing, deploying and running cloud native capabilities. The papers intended to be an initial starting point for the community in understanding the intricacies of a secure cloud native architecture. It references to other resources that may help in providing in-depth information about the topic discussed in the paper so the reader may choose to research further. The white paper is intended to be a living document created and maintained for the community by SIG security members. So with that being said, we now have an effort to gather feedback around the white paper from readers of the paper and the community at large to gauge the effectiveness of the white paper, how we can improve on the white paper and so on. And to do that, we've started a survey which captures questions like how much of the white paper have you read or what aspect of security would you like the community to focus on. So if you all want to get involved, please go ahead and participate in the survey and also if you want to be part of the team that's leading this effort, check out issue 480 on the SIG security people. And now let's talk about the cloud native security map. So the white paper that we saw in the previous slide, it provides us an introduction of different aspects of cloud native security, but it avoided any specific projects and products that readers could practically use for a specific use case. So for example, you did not see any mention of projects like Kubernetes or Open Policy Agent in the white paper as a means for performing orchestration or cloud policy enforcement and so on. So the motivation behind the cloud native security map is to fill this gap and provide a practical viewpoint of the topics covered in the white paper. As we've seen before, the white paper talks about four phases, you have develop, you have distribute, you have deploy and runtime to create resilient and observable workloads which can be run in your clouds. And so now you have the security map that attempts to provide a mapping of CNCF and open source projects to these four phases in the white paper. The map also provides examples of how these tools can be utilized in a particular category, thereby providing users a one-stop shop to explore available technologies and how they can be leveraged in their frameworks. So if this sounds interesting and you want to be part of the team which is leading this effort, check out the issue 551 in the SIG security people. And then finally, we wanted to provide you a snapshot of the first iteration of the cloud native security map. So on the left pane, you'll see those four phases, the develop, the distribute, the deploy and the runtime. And you see there are subsections for each phase. For example, you have a container application manifest phase or a section which lists all the projects that are part of this section which can perform application manifest security. And then you can also see examples of how you can use those projects to actually inside your architectures to secure your frameworks. So the map is a work in progress and we plan to add more interactive and user friendly features in the map in the future. I hand it over now to Andres. Thanks Ash. That's awesome by the way. Well, security means different things to different people. And you can be secure without knowing you're secure or you might think you're secure without that actually being the case. And saying that it means different things to different people and depending on our background and experience, folks in the group tend to organize based on interest based on areas that they might have the most energy to tackle a problem. Given recent incidents and high profile attacks that have taken in recent time. One of the areas that there's a lot of interest to capture a framework that provides recommended practices and tools is securing supply chains. And the special interest group we can form a working group. As a matter of fact, there is a talk on the main track of the event here at cube con titled protecting ourselves from CNCF gate software supply chain security at CNCF practices and tools where members of the CIG are presenting the work that culminated from folks having gathered for the last three months to talk about what are some of the lessons learned and how to fit recommendations and how to fit different tools from the parts been to fit varying risk profiles of organizations. There's quite a bit of substance in the talk, even though so far the work similar to the cloud native map cloud native security map, it's been somewhat conceptual, we're starting to get to a semblance of architecture and implementation. The work from the group is going to be evolving and taking the content that's been produced to be presented as a white paper that is in the final stages of review. And by the time that we get to the date of the event is we're pre recording the talk, most likely the paper will have been published. But from there on and getting community review, we really want to get to a capturing that framework and producing templates and code samples that you can customize and modify to fit your requirements and adapt to your different processes and tools that you might have in place. So, once again, one of the many projects that are not not touched in the roadmap. This is just to give you an exhibit of things that sick security does. Another great example of the ongoing work that sick security performs is that of reviewing the security properties and the security aspects of the different projects in the ecosystem. The goal behind the security assessments is to provide adopters, as well as newcomers to the technology, a glance at failure modes and security of a particular project. We produce threat models for the different software. The idea is providing the documentation and the analysis from a security standpoint can really accelerate adoption set cycles when people are evaluating the usage of technology into their production environments. And help them help them be conversant and articulate just, we have a large pool of security experts that are coming together and are analyzing the projects at a very detailed level, taking into account. A lot of different considerations just to make people who come down the line, give them a better understanding of everything pertaining to security. The assessments have been done for a number of projects including harbor key cloak open policy agents spire, I might be missing a few, we have them all available as open source. You can read through the architecture the threat modeling the software development best practices how the projects handle vulnerabilities, etc. For example, but come by this six security repository, get hop.com slash sec dash security. Sorry, get hop.com slash the NCF slash sec dash security, and you'll be able to look at the different assessments that have been performed. One of the streams is given that we've established a bench of security experts really well rounded on on the different areas that that make up cloud security different organizations or the broader CNCF and Linux foundation have come to stick security to tap into that pool of experts. For example, as the recent CKS certification the certified Kubernetes security specialist, Linux foundation learning pulled into six security to get the authors for the curricula, the exam questions, all the content surrounding. It's a great opportunity to contribute your expertise and get, get exposure and visibility and increase the breath of your impact. Really. The last example, I'll be talking about myself is the organization and production of events that we use as a stage and we use as an arena to. To get cloud native security in front of other people and use it as a platform to discuss breakthrough ideas discuss innovation new technologies provided presentations. Parallel to cube con and cloud native con. By the time you're going to be listening to the stock, we will already have concluded cloud native security day and talks will have been made available for posterity, but the program committee from for the event. Came out from six security. So you can get a glance of what type of work and what type of results come out from involvement in the group. And parallel to all the sessions we hosted and they're really good content we got in there. We also collaborated to produce a. Interactive capture the flag activity where different people could come in and get hands on around attack and defense as scenarios. So this is what just one of the many things we do around production of of events. With that said, I will pass it back to or not to exemplify another of the initiatives we do and close us up from there. Thank you, Andrews serverless computing refers to the concept of building as well as running an application that doesn't require server management. That doesn't mean that we don't need to use servers anymore or host and run code. It just means that functionality is offloaded to a provider and the serverless consumer only needs to worry about the application code that they need to run in that environment. There are a number of threats where it comes to serverless deployments today, because of the different components and the integrations that are possible with serverless micro services that are deployed in a cloud native environment. Obviously this is a pay as you go model you have infinite scalability because of the cloud provider capabilities in this space. I know there are a number of serverless platforms out there including open source ones like open VESC AWS has AWS Lambda and Google functions and Azure function platforms are also available in the industry and open source community is also coming up with a few other platforms. They are stateless, easily parallelized, they're highly dynamic, and they can communicate asynchronously with other services as well as components. There's much work that has been done by the serverless security group in CNCF, but the initiative that we are kicking off later this year will be focusing on serverless security the security aspects of deploying serverless functions. What are the threats, how do we mitigate them, what are the best practices at different layers that a serverless consumer has to worry about. At the same time, the persona offer provider and what functionality and what security they need to provide to provide enough visibility to the consumer organizations is also going to be addressed as part of that security best practices. The guidance that CNCF security will be working on later this year the timeframe is sometime in Q3 and Q4 depending on the bandwidth of the participants, but this is going to be an interesting piece of work that we embark on so I encourage you to get involved and participate and get your voice in and also if you are having challenges in the serverless space for securing your platform or services and there'll be a good place to have interaction with other people who are deploying their services as well. So I welcome your participation in this working group and make impact to the industry. Thank you. Awesome. Thanks for that. With that, we just want to wrap up and state hopefully the different work streams and activities that the special interest group for security is driving are meaningful and relevant to you. We want to make this as active, participative and collaborative as we possibly can. We want to encourage your participation. Everyone is welcome. Whether you're a software developer, you're an architect, you're someone that perhaps has a supporting function to cloud native in a less technical role, be it you're a project manager, or you're a product manager. We want to state that like well the more the merrier and the better rounded and balanced set of skills we can bring in. There's room for it here. There's certainly need. And we would love to have your help. So, great starting point is the GitHub repository for the special interest group, but aside of that, feel free to reach out to any of us directly through GitHub or Slack. And with that said, I hope you keep everything secure. And you enjoy the rest of the event. Ask any parting thoughts. I know it's like Andre said join us. We are open to discussing all things security. We have weekly meetings. So join us for that if you're interested about security and want to learn more. And we are happy to talk to you. Thank you.