Security Compliance

IT Common Platform users are responsible for meeting the ITSO application software security standards, which includes CIS IG2 compliance. The ITCP helps you to meet certain requirements. Please note that none of these items are completely covered by the ITCP. You will need to review each requirement and make sure that you are in compliance.

• 16.1 - Establish and Maintain a Secure Application Development Process

  We help you to identify security vulnerabilities and misconfigurations in your images and dependencies through Trivy scans in our CI pipeline templates and scanning of active workloads. You can find more information in our Trivy documentation.

• 16.4 - Establish and Manage an Inventory of Third-Party Software Components

  Trivy generates SBOMs for all running workloads. You can access them using the kubectl CLI or use a custom CI pipeline based on our building blocks to generate SBOMs before deploying. You can find more documentation here.

• 16.6 - Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities

  Trivy categorizes known vulnerabilities by criticality. It also links to the CVE so that you can find more information about the vulnerability.

• 16.7 - Use Standard Hardening Configuration Templates for Application Infrastructure

  The underlying Kubernetes infrastructure and ITCP provided services are hardened and meet CIS benchmark standards. We require that pods are run with a restricted Pod Security Policy.

• 16.8 - Separate Production and Non-Production Systems

  Users are free to create as many tenants as needed to separate production and non-production workloads. We have three tiers for development, pre-production, and production. Users can request tenants for the pre-production and production clusters.

• 16.9 - Apply Secure Design Principles in Application Architectures

  We minimize the application infrastructure attack surface by running vetted and up to date components. Our Gatekeeper and Landlord policies along with required GitOps create an environment that is architecturally more secure.

• 16.11 - Leverage Vetted Modules or Services for Application Security Components

  The ITCP provides the following vetted modules and services:

  • Logging to CLS out of the box for all applications that use standard Kubernetes logging to stdout and stderr
  • Cert Manager for creating TLS certificates in a cloud native way
  • Vault integration for secrets management and Sealed Secrets for protecting secrets stored in your tenant repositories
  • CI pipeline templates